Home / Middleware / Oracle Business Intelligence Enterprise Edition

3 Using Alternative Authentication Providers

This chapter explains how to configure Oracle Business Intelligence to use alternative directory servers for authentication instead of using the default Oracle WebLogic Server LDAP directory. This chapter explains how to set up Oracle Business Intelligence to use Oracle Internet Directory, Active Directory, and other authentication providers, and also explains how to use OID LDAP, or a database as a policy store, and credential store.

Note:

For a detailed list of security setup steps, see Section 1.7, "Detailed List of Steps for Setting Up Security in Oracle Business Intelligence".

This chapter contains the following sections:

• Introduction

• High-Level Steps for Configuring an Alternative Authentication Provider

• Setting Up Groups and Users in the Alternative Authentication Provider

• Configuring Oracle Business Intelligence to Use Alternative Authentication Providers

• Resetting the BI System User Credential

3.1 Introduction

When you use an alternative authentication provider, you will typically use administrative tools provided by your provider vendor to set up your users and groups. You can then assign these users and groups to the application roles defined in your BI Service Instance. For more information about assigning users and groups to application roles, see Section 2.4, "Managing Application Roles and Application Policies Using Fusion Middleware Control".

You continue to use the other Oracle Business Intelligence tools (such as, the Oracle BI Administration Tool, Fusion Middleware Control, and the Presentation Services Administration Page) to manage the other areas of the security model.

For a current list of supported authentication providers and directory servers to use with Oracle Business Intelligence, you select the authentication provider from the Type list in the Create a New Authentication Provider page. For more information, see System Requirements and Certification.

You can configure one or more supported authentication providers. For more information, see Section 3.4, "Configuring Oracle Business Intelligence to Use Alternative Authentication Providers".

If you use a directory server other than the default WebLogic LDAP Server, you can view the users and groups from the other directory server in Oracle WebLogic Server Administration Console. However, you must manage the users and groups in the interface for the directory server being used. For example, if you are using Oracle Internet Directory (OID LDAP), you must use OID Console to create and edit users and groups.

3.2 High-Level Steps for Configuring an Alternative Authentication Provider

To configure an alternative authentication provider:

1. Ensure your external Identity Store has all the users and groups setup for use with Oracle Business Intelligence.

   For more information, see Section 3.3, "Setting Up Groups and Users in the Alternative Authentication Provider".

2. Configure the necessary authentication provider(s) as described in Section 3.4, "Configuring Oracle Business Intelligence to Use Alternative Authentication Providers".

3. Go to the myrealm\Users and Groups tab to verify that the users and groups from the alternative authentication provider are displayed correctly. If the users and groups are displayed correctly, then proceed to the next step. Otherwise, reset your configuration settings and retry.

4. Assign application roles to corresponding groups (enterprise roles) of the new identity store, using Fusion Middleware Control.

   For more information, see Section 2.4.4.2, "Adding or Removing Members from an Application Role".

3.3 Setting Up Groups and Users in the Alternative Authentication Provider

Before you use an alternative authentication provider, you must configure suitable groups and users. You then associate them with the application roles within your BI Service Instance. Oracle Business Intelligence does not require or mandate any specific users or groups, and in a production environment your corporate Identity Store, for example Oracle Internet Directory (OID), would typically already contain users and groups relevant to you organization. However, for an example of how you might set up a simple system based on the Sample App Lite or Starter Applications see Section 2.2, "An Example Security Setup of Users, Groups, and Application Roles".

To set up users and groups in an alternative authentication provider:

1. Create groups in the alternative authentication provider similar to the application roles from your BI Service Instance. For example (using the Sample Application):

   BIServiceAdministrators, BIContentAuthors, BIConsumers

2. Create users in the alternative authentication provider, corresponding to the groups from Step 1. For example:

   BISERVICEADMIN, BICONTENTAUTHOR, BICONSUMER

3. Assign the users to respective groups n the alternative authentication provider.

   For example, assign BISERVICEADMIN user to the BIServiceAdministrators group.

4. Make the BIContentAuthors group part of the BIConsumers group in the alternative authentication provider.

   This grouping enables BIContentAuthors to inherit permissions and privileges of BIConsumers.

3.4 Configuring Oracle Business Intelligence to Use Alternative Authentication Providers

This section describes how to configure Oracle Business Intelligence to use one or more authentication providers instead of the default Oracle WebLogic Server LDAP directory, and contains the following topics:

• Section 3.4.1, "Reconfiguring Oracle Internet Directory as an Authentication Provider"

• Section 3.4.2, "Reconfiguring Microsoft Active Directory as the Authentication Provider"

• Section 3.4.3, "Configuring User and Group Name Attributes in the Identity Store"

• Section 3.4.4, "Configuring LDAP as the Authentication Provider and Storing Groups in a Database"

• Section 3.4.5, "Configuring a Database as the Authentication Provider"

• Section 3.4.6, "Configuring Identity Store Virtualization Using Fusion Middleware Control"

• Section 3.4.7, "Configuring Multiple Authentication Providers so that When One Fails, Users from Others can Still Log In to Oracle Business Intelligence"

• Section 3.4.8, "Setting the JAAS Control Flag Option"

• Section 3.4.9, "Configuring a Single LDAP Authentication Provider as the Authenticator"

Note:

Storing users and groups in a single LDAP Identity Store may be sufficient. However, for more advanced installations, you may need your users in multiple LDAP identity stores, or in a database Identity Store. You enable these using a mechanism called 'Identity Store Virtualization' (see Section 3.4.6, "Configuring Identity Store Virtualization Using Fusion Middleware Control").

Note:

This section shows settings for specific authentication providers. However, you can also use the instructions as a general guide for configuring other authentication providers.

3.4.1 Reconfiguring Oracle Internet Directory as an Authentication Provider

This procedure illustrates how to reconfigure your Oracle Business Intelligence installation to use Oracle Internet Directory(OID LDAP).

To reconfigure OID LDAP as the authentication provider:

1. Log in to Oracle WebLogic Server Administration Console, and click Lock & Edit in the Change Center.

   For more information, see Section 1.6.1, "Using Oracle WebLogic Server Administration Console".

   
   Description of the illustration ''wls01.gif''
   
   

2. Select Security Realms from the left pane and click myrealm.

   The default Security Realm is named myrealm.

3. Display the Providers tab, then display the Authentication sub-tab.

   
   Description of the illustration ''wls03.gif''
   
   

4. Click New to launch the Create a New Authentication Provider page.

   
   Description of the illustration ''wls04.gif''
   
   

5. Enter values in the Create a New Authentication Provider page as follows:

   • Name: Enter a name for the authentication provider. For example, MyOIDDirectory.

   • Type: Select OracleInternetDirectoryAuthenticator from the list.

   • Click OK to save the changes and display the authentication providers list updated with the new authentication provider.

     
     Description of the illustration ''wls07.gif''
     
     

6. Click MyOIDDirectory in the Name column of the Authentication Providers table to display the Settings page.

   
   Description of the illustration ''wls08.gif''
   
   

7. Display the Configuration\Common tab, and use the Control Flag list to select 'SUFFICIENT', then click Save.

   For more information, see Section 3.4.8, "Setting the JAAS Control Flag Option".

   
   Description of the illustration ''wls05.gif''
   
   

8. Display the Provider Specific tab.

   
   Description of the illustration ''wls09.gif''
   
   

9. Use the Provider Specific tab to specify the following details:

   Section Name	Field Name	Description
   Connection	Host	The host name of the Oracle Internet Directory server.
   Connection	Port	The port number on which the Oracle Internet Directory server is listening.
   Connection	Principal	The distinguished name (DN) of the Oracle Internet Directory user to be used to connect to the Oracle Internet Directory server. For example: cn=OIDUser,cn=users,dc=us,dc=mycompany,dc=com.
   Connection	Credential	The Password for the Oracle Internet Directory user entered as the Principal.
   Groups	Group Base DN	The base distinguished name (DN) of the Oracle Internet Directory server tree that contains groups.
   Users	User Base DN	The base distinguished name (DN) of the Oracle Internet Directory server tree that contains users.
   Users	All Users Filter	The LDAP search filter. Click More Info... for details. Leave this blank, as this is the default value for the Active Directory authenticator. Note that any filter that you add to the All Users Filter is appended to all user searches.
   Users	User From Name Filter	The LDAP search filter. Click More Info... for details.
   Users	User Name Attribute	The attribute that you want to use to authenticate (for example, cn, uid, or mail). For example, to authenticate using a user's email address you set this value to mail. Note: The value that you specify here must match the User Name Attribute that you are using in the authentication provider, as described in Section 3.4.3.1, "Configuring User Name Attributes".

   
   

   Figure 3-1 shows the Users area of the Provider Specific tab.

   Figure 3-1 Provider Specific Tab - Users Area

   
   Description of ''Figure 3-1 Provider Specific Tab - Users Area''
   
   

   For more information about configuring authentication providers in Oracle WebLogic Server, see Oracle Fusion Middleware Securing Oracle WebLogic Server.

10. (Optional) If the User Name attribute, or the Group Name attribute is configured to a value other than 'cn' in Oracle Internet Directory, you must change corresponding values in Oracle WebLogic Server Administration Console.

    For more information, see Section 3.4.3, "Configuring User and Group Name Attributes in the Identity Store".

    Note:

    The LDAP authenticators provided by WebLogic (including OracleInternetDirectoryAuthenticator and ActiveDirectoryAuthenticator), typically default to using 'cn' as the user name and group name attributes. It is often necessary to use alternative attributes for the user name, for example 'uid' or 'mail', although it is less common to need to use different group name attributes.

11. Click Save.

12. Perform the following steps to set up the DefaultAuthenticator Control Flag setting:

    1. At the main Settings for myrealm page, display the Providers tab, then display the Authentication sub-tab, then select DefaultAuthenticator to display its configuration page.

    2. Display the Configuration\Common tab and select 'SUFFICIENT' from the Control Flag list.

       For more information, see Section 3.4.8, "Setting the JAAS Control Flag Option".

    3. Click Save.

13. Perform the following steps to reorder Providers:

    1. At the main Settings for myrealm page, display the Providers tab, then display the Authentication sub-tab.
       Description of the illustration ''wls07.gif''
       
       

    2. Click Reorder to display the Reorder Authentication Providers page

    3. Select MyOIDDirectory and use the arrow buttons to move it into the first position in the list, then click OK.

       
       Description of the illustration ''wls11.gif''
       
       

    4. Click OK to save your changes.

       The authentication providers are displayed in the re-ordered sequence.

       
       Description of the illustration ''oid23_crop.gif''
       
       

14. Click Save.

15. In the Change Center, click Activate Changes.

16. Restart Oracle WebLogic Server.

3.4.2 Reconfiguring Microsoft Active Directory as the Authentication Provider

This procedure illustrates how to reconfigure your Oracle Business Intelligence installation to use Microsoft Active Directory.

The example data in this section uses a fictional company called XYZ Corporation that wants to set up SSO for Oracle Business Intelligence for their internal users.

This example uses the following information:

• Active Directory domain

  The XYZ Corporation has an Active Directory domain, called xyzcorp.com, which authenticates all the internal users. When users log in to the corporate network, the log in to the Active Directory domain. The domain controller is addc.xyzcorp.com, which controls the Active Directory domain.

• Oracle BI EE WebLogic domain

  The XYZ Corporation has a WebLogic domain called bi (default name) installed on a network server domain called bieesvr1.xyz2.com.

• System Administrator and Test user

  The following system administrator and domain user test the configuration:

  • System Administrator user

    Jo Smith (login=jsmith, hostname=xyz1.xyzcorp.com)

  • Domain user

    Bob Jones (login=bjones hostname=xyz47.xyzcorp.com)

To reconfigure Active Directory as the Authentication Provider:

1. Log in to Oracle WebLogic Server Administration Console, and click Lock & Edit in the Change Center.

   For more information, see Section 1.6.1, "Using Oracle WebLogic Server Administration Console".

   
   Description of the illustration ''wls01.gif''
   
   

2. Select Security Realms from the left pane and click myrealm.

   The default Security Realm is named myrealm.

3. Display the Providers tab, then display the Authentication sub-tab.

   
   Description of the illustration ''wls03.gif''
   
   

4. Click New to launch the Create a New Authentication Provider page.

   
   

5. Enter values in the Create a New Authentication Provider page as follows:

   • Name: Enter a name for the authentication provider. For example, ADAuthenticator.

   • Type: Select ActiveDirectoryAuthenticator from the list.

   • Click OK to save the changes and display the authentication providers list updated with the new authentication provider.

     
     

6. Click DefaultAuthenticator in the Name column to display the Settings page.

7. In the Common Authentication Provider Settings page, change the Control Flag from REQUIRED to SUFFICIENT and click Save.

   For more information, see Section 3.4.8, "Setting the JAAS Control Flag Option".

8. In the authentication providers table, click ADDirectory in the Name column to display the Settings page.

9. Display the Configuration\Common tab, and use the Control Flag list to select 'SUFFICIENT', then click Save.

   
   

10. Display the Provider Specific tab to access the options which apply specifically to connecting to an Active Directory LDAP authentication store.

11. Use the Provider Specific tab to specify the following details:

    Section Name	Field Name	Description
    Connection	Host	The name of the Active Directory server addc.xyzcorp.com.
    Connection	Port	The port number on which the Active Directory server is listening (389).
    Connection	Principal	The LDAP DN for the user that connects to Active Directory when retrieving information about LDAP users. For example: cn=jsmith,cn=users,dc=us,dc=xyzcorp,dc=com.
    Connection	Credential/Confirm Credential	Password for the specified Principal (for example welcome1).
    Groups	Group Base DN	The LDAP query used to find groups in AD. Note: Only groups defined under this path will be visible to WebLogic. (CN=Builtin,DC=xyzcorp,DC=com).
    Users	User Base DN	The LDAP query used to find users in AD. CN=Users,DC=xyzcorp,DC=com
    Users	User Name Attribute	Attribute used to specify user name in AD. Default value is cn. Do not change this value unless you know your Active Directory is configured to use a different attribute for user name. If you do change it, see, Section 3.4.3.1, "Configuring User Name Attributes".
    Users	All Users Filter	LDAP search filter. Click More Info... for details.
    Users	User From Name Filter	LDAP search filter. Blank by default in AD. Click More Info... for details.
    Users	User Object class	The name of the user.
    Users	Use Retrieved User Name as Principal	Specifies whether or not the user name retrieved from the LDAP server should be used as the Principal in the Subject. Click More Info... for details. Oracle recommends that you select this check box as it helps to enforce consistent case usage. For example, if your LDAP user name is JSmith, but you logged in as jsmith (lower case) the Principal is still JSmith (mixed case). This means that any application role memberships granted directly to users, instead of indirectly through groups, are consistently applied at authentication time.

    
    

    For more information about configuring authentication providers in Oracle WebLogic Server, see Oracle Fusion Middleware Securing Oracle WebLogic Server.

12. (Optional) If the User Name attribute, or the Group Name attribute is configured to a value other than 'cn' in Microsoft Active Directory, you must change corresponding values in Oracle WebLogic Server Administration Console.

    For more information, see Section 3.4.3, "Configuring User and Group Name Attributes in the Identity Store".

    Note:

    The LDAP authenticators provided by WebLogic (including OracleInternetDirectoryAuthenticator and ActiveDirectoryAuthenticator), typically default to using 'cn' as the user name and group name attributes. It is often necessary to use alternative attributes for the user name, for example 'uid' or 'mail', although it is less common to need to use different group name attributes.

13. Click Save.

14. At the main Settings for myrealm page, display the Providers tab, then display the Authentication sub-tab.

15. Click Reorder to display the Reorder Authentication Providers page.

16. Select ADDirectory and use the arrow buttons to move it into the first position in the list, then click OK.

17. In the Change Center, click Activate Changes.

18. Restart Oracle WebLogic Server.

3.4.3 Configuring User and Group Name Attributes in the Identity Store

The LDAP authenticators provided by WebLogic, including OracleInternetDirectoryAuthenticator and ActiveDirectoryAuthenticator, typically default to using 'cn' as the user name and group name attributes. It is often necessary to use alternative attributes for the user name, for example 'uid' or 'mail', although it is less common to need to use different group name attributes. This section explains how to reconfigure both.

This topic contains the following sections:

• Section 3.4.3.1, "Configuring User Name Attributes"

• Section 3.4.3.2, "Configuring Group Name Attributes"

3.4.3.1 Configuring User Name Attributes

This section describes how to reconfigure the OracleInternetDirectoryAuthenticator, for example, to use mail as the User Name Attribute.

Figure 3-2 shows the User Name Attribute configured with the value mail.

Figure 3-2 Example: Provider Specific Tab - User Attributes

Description of ''Figure 3-2 Example: Provider Specific Tab - User Attributes''

The UserNameAttribute in the alternative authentication provider is usually set to the value "cn"; if it is not, you must make sure the settings for AllUsersFilter and UserFromNameFilter are configured correctly as shown in Table 3-1. Table 3-1 illustrates the default setting (using the value cn), and a required new setting (using a new value in the attribute AnOtherUserAttribute).

Table 3-1 Changing User Name Attribute

Attribute Name	Default Setting	Required New Setting
UserNameAttribute	cn	AnOtherUserAttribute
AllUsersFilter	(&(cn=*)(objectclass=person))	(&(AnOtherUserAttribute =*)(objectclass=person))
UserFromNameFilter	(&(cn=%u)(objectclass=person))	(&(AnOtherUserAttribute =%u)(objectclass=person))

Make the changes in the Provider Specific tab, using Table 3-1 (substitute the AnOtherGroupAttribute setting with your own value). For more information about how to display the Provider Specific tab, see Section 3.4, "Configuring Oracle Business Intelligence to Use Alternative Authentication Providers".

3.4.3.2 Configuring Group Name Attributes

This section describes how to reconfigure the ActiveDirectoryAuthenticator, to use a group name other than cn.

Figure 3-3 shows group settings.

Figure 3-3 Example: Provider Specific Tab - Group Attributes

Description of ''Figure 3-3 Example: Provider Specific Tab - Group Attributes''

If the group name, for example, for Active Directory server is set to anything other than the default value "cn", you must change it. If you change the value, you must also change the values of AllGroupsFilter and GroupFromNameFilter as shown in Table 3-2 (the example shows a group name stored in an attribute called AnOtherGroupAttribute).

Table 3-2 Changing Group Name Attributes

Attribute Name	Default Setting	Required New Setting
StaticGroupNameAttribute/DynamicGroupNameAttribute	cn	AnOtherGroupAttribute
AllGroupsFilter	(&(cn=*)(objectclass=person))	(&(AnOtherGroupAttribute =*)(objectclass=person))
GroupFromNameFilter	(&(cn=%u)(objectclass=person))	(&(AnOtherGroupAttribute =%u)(objectclass=person))

Make the changes in the Provider Specific tab, using Table 3-2 (substitute the AnOtherGroupAttribute setting with your own value). For more information about how to display the Provider Specific tab, see Section 3.4.2, "Reconfiguring Microsoft Active Directory as the Authentication Provider".

3.4.4 Configuring LDAP as the Authentication Provider and Storing Groups in a Database

This section describes how to configure Oracle Business Intelligence to authenticate against an LDAP Identity Store, and store group information in a database. The examples provided in this section use Oracle Internet Directory (OID LDAP), and a sample database schema. However, you do not have to use OID LDAP as your LDAP identity store and your database schema does not have to be identical to the sample provided.

Oracle Business Intelligence provides an authentication provider for WebLogic Server called BISQLGroupProvider that enables you to use this method. This authentication provider does not authenticate end user credentials but enables external group memberships held in a database table to contribute to an authenticated user's identity.

This section contains the following topics:

• Section 3.4.4.1, "Prerequisites"

• Section 3.4.4.2, "Creating a Sample Schema for Groups and Group Members"

• Section 3.4.4.3, "Configuring a Data Source and the BISQLGroupProvider Using Oracle WebLogic Server Administration Console"

• Section 3.4.4.4, "Configuring the Virtualized Identity Store"

• Section 3.4.4.5, "Testing the Configuration by Adding a Database Group to an Application Role"

• Section 3.4.4.6, "Correcting Errors in the Adaptors"

3.4.4.1 Prerequisites

The following prerequisites must be satisfied before you attempt to configure LDAP authentication as described in this section:

• Oracle Business Intelligence Enterprise Edition Release 12.2.1.0 (or higher) must be installed and running.

• You must apply all relevant patches to the Oracle BI EE 12.2.1.0 system.

• A suitable database schema containing at least one table with the required groups in it, and a mapping table which maps those groups to the names of users authenticated by LDAP must be running and accessible from the WebLogic Server on which Oracle BI EE is running.

• The configuration must include a supported LDAP server to use as the identity store that contains users.

• If you need Oracle Business Intelligence to deliver content to members of an application role the following restrictions apply:

  • You can only pair a single LDAP authenticator with a single BISQLGroupProvider.

    When you configure multiple LDAP authenticators and want to retrieve group membership from the BISQLGroupProvider, content cannot be delivered to all members of an application role. In this configuration Oracle BI Delivers cannot resolve application role membership based on users and group membership.

  • You cannot define the same group in more than one identity store.

    You cannot have a group with the same name in both LDAP and database groups table. If you do, the security code invoked by Oracle BI Delivers cannot resolve application role membership.

3.4.4.2 Creating a Sample Schema for Groups and Group Members

The sample schema described here is deliberately simplistic, and is intended only to illustrate how to configure Oracle Business Intelligence to use the schema.

The sample schema is called ACME_BI_GROUPS and contains two tables and a view: the GROUPS table defines the list of external groups, the GROUPMEMBERS table, and GROUPMEMBERS_VW view which describe group membership for users that exist in your primary identity store.

The advantage of defining tables (or views) identical to Figure 3-4 is that the configuration of the BISQLGroupProvider can use the default SQL outlined in Table 3-3.

Figure 3-4 has the tables GROUPS, GROUPMEMBERS, and the view GROUPMEMBERS_VW.

Figure 3-4 Sample Schema for Groups and Group Members

You must map the users in your LDAP store to Groups in your database table by login name. In Figure 3-4, the value of G_MEMBER in the GROUPMEMBERS table must match the value of the LDAP attribute used for login (for example, uid, cn or mail), as specified in the LDAP authenticator. For example, you should not map the database groups by uid if the login attribute is mail. Create a GROUPMEMBERS_VW view with an outer join between GROUPMEMBERS and GROUPS tables.

3.4.4.3 Configuring a Data Source and the BISQLGroupProvider Using Oracle WebLogic Server Administration Console

You configure a data source and the BISQLGroupProvider using Oracle WebLogic Server Administration Console as follows:

• Section 3.4.4.3.1, "Configuring Oracle Internet Directory as the Primary Identity Store for Authentication Using Oracle WebLogic Server"

• Section 3.4.4.3.2, "Installing the BISQLGroupProvider"

• Section 3.4.4.3.3, "Configuring the Data Source Using Oracle WebLogic Server Administration Console"

• Section 3.4.4.3.4, "Configuring the BISQLGroupProvider SQL Authenticator Using Oracle WebLogic Server Administration Console"

3.4.4.3.1 Configuring Oracle Internet Directory as the Primary Identity Store for Authentication Using Oracle WebLogic Server

Follow the link to instructions that will enable you to configure WebLogic to authenticate your user population against OID LDAP.

For more information, see Section 3.4.1, "Reconfiguring Oracle Internet Directory as an Authentication Provider".

Note:

When following the steps of this task, make a note of the value of the User Base DN and User Name Attribute in the Provider Specific configuration page for your OID LDAP authenticator, which will be needed later. For more information, see Section 3.4.4.4.3, "Configuring a Database Adaptor to Retrieve Group Information".

3.4.4.3.2 Installing the BISQLGroupProvider

Before you can configure a BISQLGroupProvider authenticator, you must first install the JAR file bi-sql-group-provider.jar, which contains the authenticator. The file is available in the following location:

ORACLE_HOME/bi/plugins/security/bi-sql-group-provider.jar

You must copy the file to the following location:

ORACLE_HOME/wlserver/server/lib/mbeantypes

After copying the file into the specified location you must restart the Administration Server to enable the new provider to appear in the list of available authenticators.

Note:

If you perform an Enterprise Install to create a clustered environment, then the installation cannot start the scaled-out Managed server because the bi-sql-group-provider.jar file is not available. When this situation occurs during installation, copy the Jar file to the correct location and click Retry in the installer.

3.4.4.3.3 Configuring the Data Source Using Oracle WebLogic Server Administration Console

To configure the data source using Oracle WebLogic Server Administration Console:

1. Log in to Oracle WebLogic Server Administration Console, and click Lock & Edit in the Change Center.

   For more information, see Section 1.6.1, "Using Oracle WebLogic Server Administration Console".

2. Click Services in the left pane and click Data Sources.

3. In the Summary of Data Sources page, click New, and select Generic Data Source.

4. In the JDBC Data Sources Properties page, enter or select values for the following properties:

   • Name - For example, enter: BIDatabaseGroupDS

     The name used in the underlying configuration file (config.xml) and throughout the Oracle WebLogic Server Administration Console whenever referring to this data source.

   • JNDI Name - For example, enter: jdbc/BIDatabaseGroupDS

     The JNDI path to which this JDBC data source will be bound.

   • Database Type - For example, select: Oracle

     The DBMS of the database that you want to connect to.

5. Click Next.

6. Select a database driver from the Database Driver drop down list.

   For example, select: Oracle's Driver (Thin) for Service Connections; Versions:9.0.1 and later.

   Note:

   If using an Oracle database, select 'Oracle's Driver (Thin) for Service Connections; Releases:9.0.1 and later'.

7. Click Next.

8. Click Next.

9. On the Connection Properties page, enter values for the following properties:

   • Database Name - For example, enter: ora11g

     The name of the database that you want to connect to.

   • Host Name - For example, enter: mymachine.example.com

     The DNS name or IP address of the server that hosts the database.

     Note:

     Do not use localhost if you intend to use a cluster.

   • Port - For example, enter: 1521

     The port on which the database server listens for connections requests.

   • Database User Name

     Typically the schema owner of the tables defined in Section 3.4.4.2.

     For example, enter MYUSER.

   • Password/Confirm Password

     The password for the Database User Name.

     For example, enter mypassword.

10. Click Next.

11. Check the details on the page are correct, and click Test Configuration.

12. Click Next.

13. In the Select Targets page select the servers or clusters for your data source to be deployed to.

    You should select the Administration Server and Managed Servers as your targets, for example:

    • In the Servers pane

      Select the AdminServer option.

    • In the Clusters pane

      Select the bi_server1 check box to deploy to the cluster (this does not apply to a Simple Install).

14. Click Finish.

15. In the Change Center, click Activate Changes.

Note:

In this example, the data source is called BIDatabaseGroupDS.

3.4.4.3.4 Configuring the BISQLGroupProvider SQL Authenticator Using Oracle WebLogic Server Administration Console

This task explains how to create a BISQLGroupProvider against the BIDatabaseGroupDS data source using the example table structure outlined in Section 3.4.4.2, "Creating a Sample Schema for Groups and Group Members". You may need to modify the SQL statements used (table or column names) if your structure differs from the example.

Note:

There is no authentication against the database, as it just stores the groups to be associated with users. Authentication occurs against LDAP and the database is exposed when the BISQLGroupProvider assigns groups to application roles in Oracle WebLogic Server Administration Console.

To configure the BISQLGroupProvider SQL authenticator using Oracle WebLogic Server Administration Console:

1. Log in to Oracle WebLogic Server Administration Console as a WebLogic administrator, and click Lock & Edit in the Change Center.

   For more information, see Section 1.6.1, "Using Oracle WebLogic Server Administration Console".

   
   Description of the illustration ''wls01.gif''
   
   

2. Select Security Realms from the left pane and click myrealm.

   The default Security Realm is named myrealm.

3. Display the Providers tab, then display the Authentication sub-tab.

   
   Description of the illustration ''wls03.gif''
   
   

4. Click New to launch the Create a New Authentication Provider page.

   
   

5. Enter values in the Create a New Authentication Provider page as follows:

   • Name: Enter a name for the authentication provider. For example, MySQLGroupProvider.

   • Type: Select BISQLGroupProvider from the list.

   • Click OK to save the changes and display the authentication providers list updated with the new authentication provider.

     
     

6. In the authentication providers table, click MySQLGroupProvider in the Name column to display the Settings page.

7. Display the Provider Specific tab to specify the SQL statements used to query and authenticate against your database tables.

8. Specify the DataSource Name. This should be the JNDI name rather than the data source name. For example: jdbc/BIDatabaseGroupDS.

   Table 3-3 shows SQL statements for the sample schema outlined in Section 3.4.4.2

   Table 3-3 SQL Statements for the Sample Schema

   Query	SQL	Notes
   SQL List Groups	SELECT G_NAME FROM GROUPS WHERE G_NAME LIKE ?	The SQL statement used to retrieve group names that match a wildcard. The SQL statement requires a single parameter for the group name and must return a resultSet containing matching groups.
   SQL Group Exists	SELECT G_NAME FROM GROUPS WHERE G_NAME = ?	The SQL statement used to look up a group. The SQL statement requires a single parameter for the group name and must return a resultSet containing at most a single record containing the group.
   SQL Is Member	SELECT G_MEMBER FROM GROUPMEMBERS WHERE G_NAME = ? AND G_MEMBER = ?	The SQL statement used to look up members of a group. The SQL statement requires two parameters: a group name and a member or group name. It must return a resultSet containing the group names that matched.
   SQL List Member Groups	SELECT G_NAME FROM GROUPMEMBERS WHERE G_MEMBER = ?	The SQL statement used to look up the groups a user or group is a member of. The SQL statement requires a single parameter for the username or group name and returns a resultSet containing the names of the groups that matched.
   SQL Get Group Description (if description supported enabled)	SELECT G_DESCRIPTION FROM GROUPS WHERE G_NAME = ?	The SQL statement used to retrieve the description of a group. Only valid if Descriptions Supported is enabled. The SQL statement requires a single parameter for the group name and must return a resultSet containing at most a single record containing the group description.

   
   

   Note:

   If you are using a different table structure, you might need to adapt these SQL statements (table or column names) to your own schema. Also, you should leave the question mark (?) as a runtime query placeholder (rather than hardcode a user or group name).

   For more information about configuring authentication providers in Oracle WebLogic Server, see Oracle Fusion Middleware Securing Oracle WebLogic Server.

9. Enter all of the SQL statements appropriate to your authenticator.

   The SQL is case sensitive.

10. Click Save.

11. Perform the following steps to reorder the authentication providers:

    1. Display the Providers tab.

    2. Click Reorder to display the Reorder Authentication Providers page

    3. Select BISQLGroupProvider and use the arrow buttons to move it into the first position in the list.

    4. Click OK to save your changes.

12. Perform the following steps to configure the Control Flag setting of BISQLGroupProvider:

    1. At the main Settings for myrealm page, display the Providers tab, then display the Authentication sub-tab, then select BISQLGroupProvider to display its configuration page.

    2. Display the Configuration\Common tab and select 'OPTIONAL' from the Control Flag list.

       For more information, see Section 3.4.8, "Setting the JAAS Control Flag Option".

    3. Click Save.

13. In the Change Center, click Activate Changes.

14. Restart the Oracle Business Intelligence components (use Fusion Middleware Control once the Administration Server has been restarted), Oracle WebLogic Server, and Managed servers.

Note:

Check the Users and Groups tab to confirm that the database users and groups appear there.

3.4.4.4 Configuring the Virtualized Identity Store

You configure the virtualized identity store as follows:

• Section 3.4.4.4.1, "Enabling Virtualization by Configuring the Identity Store"

• Section 3.4.4.4.2, "Configuring SSL Against LDAP"

• Section 3.4.4.4.3, "Configuring a Database Adaptor to Retrieve Group Information"

3.4.4.4.1 Enabling Virtualization by Configuring the Identity Store

You configure the identity store to enable virtualization so that more than one identity store can be used with the identity store service, and therefore user profile information can be split across different authentication providers (identity stores).

For more information, see Section 3.4.6, "Configuring Identity Store Virtualization Using Fusion Middleware Control".

3.4.4.4.2 Configuring SSL Against LDAP

If you have configured an LDAP Authenticator to communicate over SSL (one-way SSL only), you must put the corresponding LDAP server's route certificate in an additional keystore used by the virtualization (libOVD) functionality.

For more information, see Section 5.14.2, "Configuring SSL when Using Multiple Authenticators".

3.4.4.4.3 Configuring a Database Adaptor to Retrieve Group Information

You configure a database adaptor to make it appear like an LDAP server, which enables the virtualized identity store provider to retrieve group information from a database using the database adapter.

To configure a database adaptor to retrieve group information:

This task shows how to edit and apply adapter templates that specify how to use your database tables as an identity store to map groups.

1. Create a file named bi_sql_groups_adapter_template.xml.

   This file describes the mapping of the GROUPMEMBERS_VW view to a virtual LDAP store. The view uses an outer join to ensure that fields from more than one table can be referenced by the database adaptor.

2. Make sure that the file contains the following contents:

   Note:

   You must adapt the sections of bold text below to match your table and column attributes against LDAP server attributes. The example shown here is of the sample schema that is used throughout Section 3.4.4.

   Note:

   For the element:<param name="ReplaceAttribute" value="uniquemember={cn=%uniquemember%,cn=users,dc=oracle,dc=com}"/>

   This must match the user attribute and root User DN of the main authenticator. For example, for the default authenticator:

   uid=%uniquemember%,ou=people,ou=myrealm,dc=bifoundation_domain

   <?xml version = '1.0' encoding = 'UTF-8'?>
   <adapters schvers="303" version="1" xmlns="http://www.octetstring.com/schemas/Adapters" xmlns:adapters="http://www.w3.org/2001/XMLSchema-instance">
      <dataBase id="directoryType" version="0">
         <root>%ROOT%</root>
         <active>true</active>
         <serverType>directoryType</serverType>
         <routing>
            <critical>true</critical>
            <priority>50</priority>
            <inclusionFilter/>
            <exclusionFilter/>
            <plugin/>
            <retrieve/>
            <store/>
            <visible>Yes</visible>
            <levels>-1</levels>
            <bind>true</bind>
            <bind-adapters/>
            <views/>
            <dnpattern/>
         </routing>
         <pluginChains xmlns="http://xmlns.oracle.com/iam/management/ovd/config/plugins">
            <plugins>
               <plugin>
                  <name>VirtualAttribute</name>
                  <class>oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin</class>
                  <initParams>
                     <param name="ReplaceAttribute" value="uniquemember={cn=%uniquemember%,cn=users,dc=oracle,dc=com}"/>
                  </initParams>
               </plugin>
            </plugins>
            <default>
               <plugin name="VirtualAttribute"/>
            </default>
            <add/>
            <bind/>
            <delete/>
            <get/>
            <modify/>
            <rename/>
         </pluginChains>
         <driver>oracle.jdbc.driver.OracleDriver</driver>
         <url>%URL%</url>
         <user>%USER%</user>
         <password>%PASSWORD%</password>
         <ignoreObjectClassOnModify>false</ignoreObjectClassOnModify>
         <includeInheritedObjectClasses>true</includeInheritedObjectClasses>
         <maxConnections>10</maxConnections>
         <mapping>
            <joins/>
            <objectClass name="groupofuniquenames" rdn="cn">
               <attribute ldap="cn" table="GROUPMEMBERS_VW" field="G_NAME" type=""/>
               <attribute ldap="description" table="GROUPMEMBERS_VW" field="G_NAME" type=""/>
               <attribute ldap="uniquemember" table="GROUPMEMBERS_VW" field="G_MEMBER" type=""/>
            </objectClass>
         </mapping>
         <useCaseInsensitiveSearch>true</useCaseInsensitiveSearch>
         <connectionWaitTimeout>10</connectionWaitTimeout>
         <oracleNetConnectTimeout>0</oracleNetConnectTimeout>
         <validateConnection>false</validateConnection>
      </dataBase>
   </adapters>
   

3. Customize appropriate sections highlighted in bold, for the following elements:

   • ReplaceAttribute

     Specifies how to define the unique member for a group (the %uniquemember% is a placeholder for a value which will be passed in at runtime when looking up whether a user is a member of a group)

     The only aspect of this element you may want to change is the specification of the root for your users. While this is notional, by default it must match whatever you specify as the root of your user population when you run the libovdadapterconfig script in Step 10.

   • groupofuniquenenames

     Specifies how group attributes are mapped to database fields.

     You must map the following attributes:

     • cn (map to a unique name for your group)

     • uniquemember (map to the unique name for your user in the user/group mapping table in your database schema

     Mapping the following attribute is optional:

     • description is optional (although clearly helpful)

     No other attributes are user-configurable.

4. Copy the adapter file into the following folder:

   ORACLE_HOME/oracle_common/modules/oracle.ovd/templates/

5. Open a command prompt/terminal at:

   ORACLE_HOME/oracle_common/bin

6. Ensure the following environment variables are set, for example:

   • ORACLE_HOME=oraclehome

   • WL_HOME=ORACLE_HOME/wlserver/

   • JAVA_HOME=ORACLE_HOME/jdk/jre

7. Run the libovdadapterconfig script to create a database adapter from the template file. The syntax is:

   libovdadapterconfig -adapterName <name of adapter> -adapterTemplate <name (NOT including path) of template file which defines adapater> -host localhost -port <Admin Server port> -userName <user id of account which has administrative privileges in the domain> -domainPath <path to the BI domain> -dataStore DB -root <nominal specification of a pseudo-LDAP query to treat as the "root" of this adapter - must match that specified in template for adapter 2 above> -contextName default -dataSourceJNDIName <JNDI name for DataSource which points at the database being mapped>
   

   For example:

   ./libovdadapterconfig.sh -adapterName biSQLGroupAdapter -adapterTemplate bi_sql_groups_adapter_template.xml -host localhost -port 7001 -userName weblogic -domainPath /opt/oracle_bi/user_projects/domains/bifoundation_domain/ -dataStore DB -root cn=users,dc=oracle,dc=com -contextName default -dataSourceJNDIName jdbc/BIDatabaseGroupDS
   
   

   Note:

   The dataSourceJNDIName must be the JNDI name and not just the DS name.

   Note:

   The root parameter value should match the root dn specified in the <param name="replaceattribute" element in the adaptor template. For example, if user is specified in the default authenticator, the root would normally be set to ou=people, ou=myrealm, dc=bifoundation_domain.

   The script should exit without error.

8. Restart WebLogic Administration Server and Managed servers.

   Note:

   When you start WebLogic you will see the following warning which you can ignore:Warning: BISQLGroupsProvider: Connection pool not usable.

   You should now be able to log in to WebLogic and Oracle Business Intelligence using credentials stored in the database.

3.4.4.5 Testing the Configuration by Adding a Database Group to an Application Role

To test the configuration by adding a database group to an application role:

1. Log in to Fusion Middleware Control, and open WebLogic domain and bifoundation_domain in the navigation menu on the left of the page.

   For more information, see Section 1.6.2, "Using Oracle Fusion Middleware Control".

2. Right-click bifoundation_domain and select Security, then Application Roles to display the Application Role Configuration page.

3. Add a database group which contains an LDAP user to one of the application roles (for example, BIServiceAdministrator) which that user does not currently have access to.

4. Log in to Oracle Business Intelligence as a user that is a member of the group that was newly added to the application role.

   In the top right of the page, you will see the text "Logged in as <user id>".

5. Click the user id to display a drop down menu.

6. Select My Account from the menu.

7. Display the Roles and Catalog Groups tab and verify the user now has the new application role.

3.4.4.6 Correcting Errors in the Adaptors

You cannot modify an existing database adapter, so if you make an error in either the libovdadapter command, or the templates you use to create the adapters, you must delete then recreate the adapter.

For more information, see Section 3.4.5.6, "Correcting Database Adapter Errors by Deleting and Recreating the Adapter".

3.4.5 Configuring a Database as the Authentication Provider

This section describes how to configure Oracle Business Intelligence to use a database as the authentication provider by using a SQLAuthenticator and a virtualized identity store database adapter, and contains the following topics:

• Section 3.4.5.1, "Introduction and Prerequisites"

• Section 3.4.5.2, "Creating a Sample Schema for Users and Groups"

• Section 3.4.5.3, "Configuring a Data Source and SQL Authenticator Using the Oracle WebLogic Server Administration Console"

• Section 3.4.5.4, "Configuring the Virtualized Identity Store"

• Section 3.4.5.5, "Troubleshooting the SQL Authenticator"

• Section 3.4.5.6, "Correcting Database Adapter Errors by Deleting and Recreating the Adapter"

3.4.5.1 Introduction and Prerequisites

User role and profile information can be stored in a database with the help of an adapter that enables the database to appear like an LDAP server. A virtualized identity store provider can retrieve user profile information from a database through a database adapter.

The method of database authentication described here is only possible in Release 11.1.1.5 (or higher), because earlier releases require the use of initialization blocks.

This topic explains how to configure Oracle Business Intelligence with a SQLAuthenticator and a virtualized identity store provider (including a database adapter), both running against a suitable database schema. The examples given are illustrative only, and your database schema need not be identical to the sample described here.

Use this procedure when you need to authenticate users against a database schema. The preferred identity store for authentication purposes is an LDAP directory service, such as Oracle Internet Directory (OID LDAP).

The approach to database authentication described here requires two database columns, one containing users and another containing passwords. This method is not based on database user accounts.

Oracle Business Intelligence Enterprise Edition Releases 11.1.1.5, 11.1.1.6, and 11.1.1.7 (or higher) must be installed and running. However, for Releases 11.1.1.5 and 11.1.1.6, you must also apply Oracle Fusion Middleware patch 13826887. For more information, see "Patching Oracle Business Intelligence Systems" in Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition).

3.4.5.2 Creating a Sample Schema for Users and Groups

In practice, you will have your own schemas, which you are using in an earlier installation of Oracle BI EE. The sample schema described here is deliberately simplistic, and is intended only to illustrate how to configure the system to use the schema.

Note:

A suitable database schema containing the users, credentials and groups required for authentication, must be accessible from the WebLogic Server on which Oracle BI EE is running.

Figure 3-5 has tables, USERS, USER_VW, GROUPMEMBERS, GROUPS, and GROUPMEMBERS_VW, where USER_VW is a view on the USERS table, and GROUPMEMBERS_VW is a view joining the GROUPMEMBERS and GROUPS tables.

Figure 3-5 Sample Schema for Users and Groups

If either user or group information exists in more than one table, remove USER_VW must create a view over the tables of each type of information.

Create a view on the GROUPMEMBERS and GROUPS tables (for example, GROUPMEMBERS_VW) with an outer join on the GROUPS table and an inner join on the GROUPMEMBERS table, which enables you to see groups in Fusion Middleware Control even when they have no user assigned to them. To present the view shown in Figure 3-5 to the database adapter, you would need to follow the configuration shown in Section 3.4.5.4.2, "Configuring a Database Adaptor".

3.4.5.3 Configuring a Data Source and SQL Authenticator Using the Oracle WebLogic Server Administration Console

You configure a data source and SQL authenticator using the Oracle WebLogic Server Administration Console as follows:

• Section 3.4.5.3.1, "Configuring a Data Source Using the Oracle WebLogic Server Administration Console"

• Section 3.4.5.3.2, "Configuring a SQL Authenticator Using the Oracle WebLogic Server Administration Console"

3.4.5.3.1 Configuring a Data Source Using the Oracle WebLogic Server Administration Console

To configure a data source using the Oracle WebLogic Server Administration Console:

1. Log in to Oracle WebLogic Server Administration Console, and click Lock & Edit in the Change Center.

   For more information, see Section 1.6.1, "Using Oracle WebLogic Server Administration Console".

2. Click Services in the left pane and click Data Sources.

3. In the Summary of Data Sources page, click New, and select Generic Data Source.

4. In the JDBC Data Sources Properties page, enter or select values for the following properties:

   • Name - For example, enter: UserGroupDS

     The name used in the underlying configuration file (config.xml) and throughout the Administration Console whenever referring to this data source.

   • JNDI Name - For example, enter: jdbc/UserGroupDS

     The JNDI path to which this JDBC data source will be bound.

   • Database Type - For example, select: Oracle

     The DBMS of the database that you want to connect to.

5. Click Next.

6. Select a database driver from the Database Driver drop down list.

   For example, select: Oracle's Driver (Thin) for Service Connections; Releases:9.0.1 and later

7. Click Next.

8. Click Next.

9. On the Connection Properties page, enter values for the following properties:

   • Database Name - For example, enter: ora12c

     The name of the database that you want to connect to.

   • Host Name - For example, enter: mymachine.example.com

     The DNS name or IP address of the server that hosts the database.

   • Port - For example, enter: 1521

     The port on which the database server listens for connections requests.

   • Database User Name

     Typically the schema owner of the tables defined in Section 3.4.5.2

   • Password/Confirm Password

     The password for the Database User Name.

10. Click Next.

11. Check the details on the page are correct, and click Test Configuration.

12. Click Next.

13. In the Select Targets page select the servers or clusters for deploying the data source.

    You should select the Administration Server and Managed server as your targets, for example:

    • In the Servers pane

      Select the AdminServer check box.

    • In the Clusters pane

      Select the bi_server1 option.

14. Click Finish.

15. In the Change Center, click Activate Changes.

16. Restart the system.

3.4.5.3.2 Configuring a SQL Authenticator Using the Oracle WebLogic Server Administration Console

This task enables a suitably privileged user to log in to the Oracle WebLogic Server Administration Console using the WebLogic database authenticator.

To configure a SQL authenticator using the Oracle WebLogic Server Administration Console:

1. Log in to Oracle WebLogic Server Administration Console, and click Lock & Edit in the Change Center.

   For more information, see Section 1.6.1, "Using Oracle WebLogic Server Administration Console".

   
   Description of the illustration ''wls01.gif''
   
   

2. Select Security Realms from the left pane and click myrealm.

   The default Security Realm is named myrealm.

3. Display the Providers tab, then display the Authentication sub-tab.

   
   Description of the illustration ''wls03.gif''
   
   

4. Click New to launch the Create a New Authentication Provider page.

   
   

5. Enter values in the Create a New Authentication Provider page as follows:

   • Name: Enter a name for the authentication provider. For example, UserGroupDBAuthenticator.

   • Type: Select ReadOnlySQLAuthenticator from the list.

     This creates a read-only SQL Authenticator, and WebLogic does not write back to the database.

   • Click OK to save the changes and display the authentication providers list updated with the new authentication provider.

     
     

6. In the authentication providers table, click UserGroupDBAuthenticator in the Name column to display the Settings page.

7. Display the Provider Specific tab, and enter in the Data Source Name field, the name of the data source that you created in Section 3.4.5.3.1.

   For example, UserGroupDS.

8. In the Provider Specific tab you specify the SQL statements used to query, and authenticate against, your database tables.

   Table 3-4 shows SQL statements for the sample schema outlined in Section 3.4.5.2

   Table 3-4 SQL Statements for the Sample Schema

   Query	SQL	Notes
   SQL Get Users Password (used to authenticate)	SELECT U_PASSWORD FROM USERS WHERE U_NAME = ?	The SQL statement used to look up a user's password. The SQL statement requires a single parameter for the username and must return a resultSet containing at most a single record containing the password.
   SQL User Exists	SELECT U_NAME FROM USERS WHERE U_NAME = ?	The SQL statement used to look up a user. The SQL statement requires a single parameter for the username and must return a resultSet containing at most a single record containing the user.
   SQL List Users	SELECT U_NAME FROM USERS WHERE U_NAME LIKE ?	The SQL statement used to retrieve users that match a particular wildcard search. The SQL statement requires a single parameter for the usernames and returns a resultSet containing matching usernames.
   SQL List Groups	SELECT G_NAME FROM GROUPS WHERE G_NAME LIKE ?	The SQL statement used to retrieve group names that match a wildcard. The SQL statement requires a single parameter for the group name and returns a resultSet containing matching groups.
   SQL Group Exists	SELECT G_NAME FROM GROUPS WHERE G_NAME = ?	The SQL statement used to look up a group. The SQL statement requires a single parameter for the group name and must return a resultSet containing at most a single record containing the group.
   SQL Is Member	SELECT G_MEMBER FROM GROUPMEMBERS WHERE G_NAME=? AND G_MEMBER LIKE ?	The SQL statement used to look up members of a group. The SQL statement requires two parameters: a group name and a member or group name. It must return a resultSet.
   SQL List Member Groups	SELECT G_NAME FROM GROUPMEMBERS WHERE G_MEMBER = ?	The SQL statement used to look up the groups a user or group is a member of. The SQL statement requires a single parameter for the username or group name and returns a resultSet containing the names of the groups that matched.
   SQL Get User Description (if description supported enabled)	SELECT U_DESCRIPTION FROM USERS WHERE U_NAME = ?	The SQL statement used to retrieve the description of a specific user. The SQL statement requires a single parameter for the username and must return a resultSet containing at most a single record containing the user description.
   SQL Get Group Description (if description supported enabled)	SELECT G_DESCRIPTION FROM GROUPS WHERE G_NAME = ?	The SQL statement used to retrieve the description of a group. It is valid only if Descriptions Supported is enabled. The SQL statement requires a single parameter for the group name and must return a resultSet containing at most a single record containing the group description.

   
   

   Note:

   If you are using a different table structure, you might need to adapt these SQL statements (table or column names) to your own schema. Also, you should leave the question mark (?) as a runtime query placeholder (rather than hardcode a user or group name).

   For more information about configuring authentication providers in Oracle WebLogic Server, see Oracle Fusion Middleware Securing Oracle WebLogic Server.

9. Enter all of the SQL statements appropriate to your Authenticator.

   The SQL is case sensitive.

10. If your password column is in plain text (that is, if the result of the query supplied for the SQL Get Users Password column is not hashed or encrypted), select the Plaintext Password Enabled option.

    If the Plaintext Password Enabled option is cleared, the SQLAuthenticator expects passwords to have been hashed using SHA-1 (default encryption algorithm). For more information on the supported encryption algorithms, see the documentation for the base SQLAuthenticator Mbean PasswordAlgorithm attribute.

11. Click Save.

12. Perform the following steps to configure default authenticator Control Flag setting:

    1. At the main Settings for myrealm page, display the Providers tab, then display the Authentication sub-tab, then select DefaultAuthenticator to display its configuration page.

    2. Display the Configuration\Common tab and select 'SUFFICIENT' from the Control Flag list.

       For more information, see Section 3.4.8, "Setting the JAAS Control Flag Option".

    3. Click Save.

13. Perform the following steps to reorder the Authentication Providers:

    1. Display the Providers tab.

    2. Click Reorder to display the Reorder Authentication Providers page

    3. Select UserGroupDBAuthenticator and use the arrow buttons to move it into the first position in the list.

    4. Click OK to save your changes.

14. In the Change Center, click Activate Changes.

15. Restart the Oracle Business Intelligence components (use Fusion Middleware Control once the Administration Server has been restarted), Oracle WebLogic Server, and Managed servers.

16. Follow the steps described in Section 3.5, "Resetting the BI System User Credential" to ensure there is a trusted system user in your database, by replacing the credentials in the Credential store to point to this user's credentials.

    The credentials must be of a suitable user account specified in the database tables that you are trying to configure authentication against.

    Note:

    The screenshot of the Oracle WebLogic Server Administration Console in Section 3.5, shows users in the domain that you will not see until you complete the database configuration steps.

Note:

Check the Users and Groups tab to confirm that the database users and groups appear there.

3.4.5.4 Configuring the Virtualized Identity Store

Configure the virtualized identity store as follows:

• Section 3.4.5.4.1, "Enabling Virtualization by Configuring the Identity Store"

• Section 3.4.5.4.2, "Configuring a Database Adaptor"

3.4.5.4.1 Enabling Virtualization by Configuring the Identity Store

You must configure the identity store to enable virtualization so that more than one Identity Store can be used with the identity store service, and therefore user profile information can be split across different authentication providers (identity stores).

For more information, see Section 3.4.6, "Configuring Identity Store Virtualization Using Fusion Middleware Control".

3.4.5.4.2 Configuring a Database Adaptor

You configure a database adaptor to make the database appear like an LDAP server, which enables the virtualized identity store provider to retrieve user profile information from a database using the database adapter.

To configure a database adaptor:

This task shows how to edit and apply adapter templates that specify how to use your database tables as an identity store.

1. Create a file named adapter_template_usergroup1.xml.

   This file describes the mapping of the user table to a virtual LDAP store.

2. Make sure that the file contains the following contents:

   Note:

   You must adapt the section shown in bold, to match the columns in your own table with attributes in the LDAP server. The example given here is for the sample schema that is used throughout Section 3.4.5.

   <?xml version = '1.0' encoding = 'UTF-8'?>
   <adapters schvers="303" version="1" xmlns="http://www.octetstring.com/schemas/Adapters" xmlns:adapters="http://www.w3.org/2001/XMLSchema-instance">
      <dataBase id="directoryType" version="0">
         <root>%ROOT%</root>
         <active>true</active>
         <serverType>directoryType</serverType>
         <routing>
            <critical>true</critical>
            <priority>50</priority>
            <inclusionFilter/>
            <exclusionFilter/>
            <plugin/>
            <retrieve/>
            <store/>
            <visible>Yes</visible>
            <levels>-1</levels>
            <bind>true</bind>
            <bind-adapters/>
            <views/>
            <dnpattern/>
         </routing>
         <pluginChains xmlns="http://xmlns.oracle.com/iam/management/ovd/config/plugins">
            <plugins>
               <plugin>
                  <name>DBGUID</name>
                  <class>oracle.ods.virtualization.engine.chain.plugins.dbguid.DBGuidPlugin</class>
                  <initParams>
                     <param name="guidAtribute" value="orclguid"/>
                  </initParams>
               </plugin>
            </plugins>
            <default>
               <plugin name="DBGUID"/>
            </default>
            <add/>
            <bind/>
            <delete/>
            <get/>
            <modify/>
            <rename/>
         </pluginChains>
         <driver>oracle.jdbc.driver.OracleDriver</driver>
         <url>%URL%</url>
         <user>%USER%</user>
         <password>%PASSWORD%</password>
         <ignoreObjectClassOnModify>false</ignoreObjectClassOnModify>
         <includeInheritedObjectClasses>true</includeInheritedObjectClasses>
         <maxConnections>10</maxConnections>
         <mapping>
            <joins/>
            <objectClass name="person" rdn="cn">
               <attribute ldap="cn" table="USER_VW" field="U_NAME" type=""/>
               <attribute ldap="uid" table="USER_VW" field="U_NAME" type=""/>
               <attribute ldap="usernameattr" table="USER_VW" field="U_NAME" type=""/>
               <attribute ldap="loginid" table="USER_VW" field="U_NAME" type=""/>
               <attribute ldap="description" table="USER_VW" field="U_NAME" type=""/>
               <attribute ldap="orclguid" table="USER_VW" field="orclguid" type=""/>
            </objectClass>
         </mapping>
         <useCaseInsensitiveSearch>true</useCaseInsensitiveSearch>
         <connectionWaitTimeout>10</connectionWaitTimeout>
         <oracleNetConnectTimeout>0</oracleNetConnectTimeout>
         <validateConnection>false</validateConnection>
      </dataBase>
   </adapters>
   

   In this example the section highlighted in bold should be the only section that needs customizing, but the elements should be mapped by matching the attributes/classes used in a virtual LDAP schema with the columns in your database which correspond to them. The virtual schema is the same as that of WebLogic Embedded LDAP, so you can map database columns to any of the attributes shown in Table 3-5.

   Table 3-5 Examples of Attributes to Map to Database Columns

   Attribute	Example
   description	John Doe
   cn	john.doe
   uid	john.doe
   sn	Doe
   userpassword	welcome1
   displayName	John Doe
   employeeNumber	12345
   employeeType	Regular
   givenName	John
   homePhone	650-555-1212
   mail	john.doe@example.com
   title	Manager
   manager	uid=mary.jones,ou=people,ou=myrealm,dc=wc_domain
   preferredLanguage	en
   departmentNumber	tools
   facsimiletelephonenumber	650-555-1200
   mobile	650-500-1200
   pager	650-400-1200
   telephoneNumber	650-506-1212
   postaladdress	200 Oracle Parkway
   l	Redwood Shores
   homepostaladdress	123 Main St., Anytown 12345

   
   

3. Use the first, outer element (<objectClass name="person" rdn="cn">) to declare mapping of the LDAP objectclass person.

   The cn attribute is used as its RDN (Relative Distinguished Name). The sub-elements then declare which LDAP attributes map to which tables and columns in the database. For example, the line <attribute ldap="uid" table="USERS" field="USER_ID" type=""/> maps the USER_ID field of the USER_VW table to the standard LDAP attribute uid (that is, a unique user id for each user).

   Next, you map groups using the same method.

4. Create a file named adapter_template_usergroup2.xml.

   This file describes the mapping of the group table to a virtual LDAP store.

5. Add the following contents to the file:

   You must customize the section shown in bold to match the columns in your own table. The sample content shown here is to match the sample schema that is used throughout this example.

   <?xml version = '1.0' encoding = 'UTF-8'?>
   <adapters schvers="303" version="1" xmlns="http://www.octetstring.com/schemas/Adapters" xmlns:adapters="http://www.w3.org/2001/XMLSchema-instance">
       <dataBase id="directoryType" version="0">
         <root>%ROOT%</root>
         <active>true</active>
         <serverType>directoryType</serverType>
         <routing>
            <critical>true</critical>
            <priority>50</priority>
            <inclusionFilter/>
            <exclusionFilter/>
            <plugin/>
            <retrieve/>
            <store/>
            <visible>Yes</visible>
            <levels>-1</levels>
            <bind>true</bind>
            <bind-adapters/>
            <views/>
            <dnpattern/>
         </routing>
         <pluginChains xmlns="http://xmlns.oracle.com/iam/management/ovd/config/plugins">
            <plugins>
               <plugin>
                  <name>VirtualAttribute</name>
                  <class>oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin</class>
                  <initParams>
                     <param name="ReplaceAttribute" value="uniquemember={cn=%uniquemember%,cn=users,dc=oracle,dc=com}"/>
                  </initParams>
               </plugin>
            </plugins>
            <default>
               <plugin name="VirtualAttribute"/>
            </default>
            <add/>
            <bind/>
            <delete/>
            <get/>
            <modify/>
            <rename/>
         </pluginChains>
         <driver>oracle.jdbc.driver.OracleDriver</driver>
         <url>%URL%</url>
         <user>%USER%</user>
         <password>%PASSWORD%</password>
         <ignoreObjectClassOnModify>false</ignoreObjectClassOnModify>
         <includeInheritedObjectClasses>true</includeInheritedObjectClasses>
         <maxConnections>10</maxConnections>
         <mapping>
            <joins/>
            <objectClass name="groupofuniquenames" rdn="cn">
               <attribute ldap="cn" table="GROUPMEMBERS_VW" field="G_NAME" type=""/>
               <attribute ldap="description" table="GROUPMEMBERS_VW" field="G_NAME type=""/>
               <attribute ldap="uniquemember" table="GROUPMEMBERS_VW" field="G_MEMBER" type=""/>
               <attribute ldap="orclguid" table="GROUPMEMBERS_VW" field="G_NAME" type=""/>
            </objectClass>
         </mapping>
         <useCaseInsensitiveSearch>true</useCaseInsensitiveSearch>
         <connectionWaitTimeout>10</connectionWaitTimeout>
         <oracleNetConnectTimeout>0</oracleNetConnectTimeout>
         <validateConnection>false</validateConnection>
      </dataBase>
   </adapters>
   

6. Customize appropriate sections highlighted in bold, for the following elements:

   • ReplaceAttribute

     Specifies how to define the unique member for a group (the %uniquemember% is a placeholder for a value which will be passed in at runtime when looking up whether a user is a member of a group)

     The only aspect of this element you may want to change is the specification of the root for your users. While this is notional, by default it must match whatever you specify as the root of your user population when you run the libovdadapterconfig script in Step 10.

   • groupofuniquenames

     Specifies how group attributes are mapped to database fields and as with the user, the attributes correspond to the defaults in Weblogic Embedded LDAP.

     You must map the following attributes:

     • cn (map to a unique name for your group)

     • uniquemember (map to the unique name for your user in the user/group mapping table in your database schema)

     • orclguid (maps to a unique id, if available in your database schema)

     Mapping the following attributes is optional:

     • description is optional (although clearly helpful)

     No other attributes are user-configurable.

7. Copy the two adapter files into the following folder:

   ORACLE_HOME/oracle_common/modules/oracle.ovd/templates/

8. Open a command prompt/terminal at:

   ORACLE_HOME/oracle_common/bin

9. Ensure the following environment variables are set, for example:

   • ORACLE_HOME=ORACLE_HOME/oraclehome

   • WL_HOME=ORACLE_HOME/wlserver

   • JAVA_HOME=ORACLE_HOME/jdk/jre

10. Run the libovdadapterconfig script to create each of the two adapters from the template files. The syntax is:

    libovdadapterconfig -adapterName <name of adapter> -adapterTemplate <name (NOT including path) of template file which defines adapter> -host localhost -port <Admin Server port> -userName <user id of account which has administrative privileges in the domain> -domainPath <path to the BI domain> -dataStore DB -root <nominal specification of a pseudo-LDAP query to treat as the "root" of this adapter - must match that specified in template for adapter 2 above> -contextName default -dataSourceJNDIName <JNDI name for DataSource which points at the database being mapped>
    

    For example:

    ./libovdadapterconfig.sh -adapterName userGroupAdapter1 -adapterTemplate adapter_template_usergroup1.xml -host localhost -port 7001 -userName weblogic -domainPath /opt/oracle_bi/user_projects/domains/bifoundation_domain/ -dataStore DB -root cn=users,dc=oracle,dc=com -contextName default -dataSourceJNDIName jdbc/UserGroupDS
    
    ./libovdadapterconfig.sh -adapterName userGroupAdapter2 -adapterTemplate adapter_template_usergroup2.xml -host localhost -port 7001 -userName weblogic -domainPath /opt/oracle_bi/user_projects/domains/bifoundation_domain/ -dataStore DB -root cn=users,dc=oracle,dc=com -contextName default -dataSourceJNDIName jdbc/UserGroupDS
    

    The scripts should exit without error.

11. Restart WebLogic Administration Server and Managed servers.

    You should now be able to log in to WebLogic and Oracle Business Intelligence using credentials stored in the database

3.4.5.5 Troubleshooting the SQL Authenticator

This section provides troubleshooting information on the SQL authenticator, and contains the following topics:

• Section 3.4.5.5.1, "Adding a User to the Global Admin Role Using the Oracle WebLogic Server Administration Console"

• Section 3.4.5.5.2, "An Incorrect Data Source Name is Specified for the SQLAuthenticator"

• Section 3.4.5.5.3, "Incorrect SQL Queries"

3.4.5.5.1 Adding a User to the Global Admin Role Using the Oracle WebLogic Server Administration Console

If you cannot log in to Oracle Business Intelligence using a database user, a useful diagnostic test is to see whether your user can log in to WebLogic at all. If you do not have other applications on the WebLogic Server which take advantage of WebLogic container authentication, you can add your user (temporarily) to the WebLogic Global Admin role and see if the user can log in to the Oracle WebLogic Server Administration Console to test whether the SQLAuthenticator is working at all.

To add a user to the global admin role using the Oracle WebLogic Server Administration Console:

1. Log in to Oracle WebLogic Server Administration Console, and click Lock & Edit in the Change Center.

   For more information, see Section 1.6.1, "Using Oracle WebLogic Server Administration Console".

2. Select Security Realms from the left pane and click myrealm.

   The default Security Realm is named myrealm.

3. Display the Roles and Policies tab, then display the Realm Roles sub-tab.

   
   

4. In the list of roles, click on the plus sign to expand Global Roles, then Roles, then click the View Role Conditions link for the Admin role.

5. Ensure the conditions specified will match your user, either directly, or by belonging to a group.

   For example, a condition may be User=myadminaccount or Group=Administrators.

6. If you have made any changes, click Save.

   Changes are applied immediately.

7. You should now be able to check whether the user in question can log in to the Oracle WebLogic Server Administration Console at http://<bi server address>:<AdminServer Port>/console (for example, http://example.com:9500/console).

   If the user can log in to the console, but cannot log in to Oracle Business Intelligence, the SQLAuthenticator is working correctly, but there may be issues in the identity store service. Check that you have specified the virtualize=true, and OPTIMIZE_SEARCH=true properties in Section 3.4.6, "Configuring Identity Store Virtualization Using Fusion Middleware Control" and that your DBAdapter templates are correct in Section 3.4.5.4.2, "Configuring a Database Adaptor".

3.4.5.5.2 An Incorrect Data Source Name is Specified for the SQLAuthenticator

If you specify the wrong name for the data source field of the SQLAuthenticator, then errors such as the following are included in the log files for Administration Server and Managed Servers:

Caused by: javax.security.auth.login.FailedLoginException: [Security:090761]Authentication failed for user jsmith java.sql.SQLException: [Security:090788]"Problem with DataSource/ConnectionPool configuration, verify DataSource name wrongdsname is correct and Pool configurations are correct"
      at weblogic.security.providers.authentication.shared.DBMSAtnLoginModuleI
mpl.login(DBMSAtnLoginModuleImpl.java:318)

Use the data source name as in the example shown in Section 3.4.5.3.1, "Configuring a Data Source Using the Oracle WebLogic Server Administration Console".

3.4.5.5.3 Incorrect SQL Queries

Ensure that the SQL queries that you specify when configuring the SQLAuthenticator are syntactically correct and refer to the correct tables. For example, the following error occurs in the Administration Server.log file when the wrong table name is specified for the password query:

####<Jul 7, 2011 4:03:27 PM BST> <Error> <Security> <gbr20020> <AdminServer> <[ACTIVE] ExecuteThread: '8' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <de7dd0dc53f3d0ed:e0ce69e:131007c1afe:-8000-00000000000007fa> <1310051007798> <BEA-000000> <[Security:090759]A SQLException occurred while retrieving password information
java.sql.SQLSyntaxErrorException: ORA-00942: table or view does not exist
     at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:457)
     at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:405)
     at oracle.jdbc.driver.T4C8Oall.processError(T4C8Oall.java:889)
     at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:476)

3.4.5.6 Correcting Database Adapter Errors by Deleting and Recreating the Adapter

You cannot modify an existing database adapter, so if you make an error in either the libovdadapter command, or the templates you use to create the adapters, you must delete then recreate the adapter using the following procedure.

To correct database adapter errors by deleting and recreating the adapter:

1. Log in to the WLS console by running the WLST script.

   For example:

   ORACLE_HOME/oracle_common/common/bin/wlst.sh (UNIX)

   ORACLE_HOME\oracle_common\common\bin\wlst.cmd (Windows)

2. Connect to your Administration Server using the following syntax:

   connect ('<WLS admin user name>','<WLS admin password>','t3://<admin server host>:<admin server port>')

   For example:

   connect('weblogic','weblogic','t3://myserver:9500')

3. Delete the misconfigured adapter using the following syntax:

   deleteAdapter(adapterName='<AdapterName>')

   For example:

   deleteAdapter(adapterName='userGroupAdapter2')

4. Exit the WLST console using the command exit() and recreate the adapter with the correct settings by following the steps outlined in Section 3.4.5.4.2, "Configuring a Database Adaptor".

3.4.6 Configuring Identity Store Virtualization Using Fusion Middleware Control

This section describes how to configure Oracle Business Intelligence to use Identity Store Virtualization using Fusion Middleware Control.

To configure identity store virtualization using Fusion Middleware Control:

If you are communicating with LDAP over SSL (one-way SSL only), see Section 5.14.2, "Configuring SSL when Using Multiple Authenticators".

For more information, see .

1. (Optional) If not already done, configure supported authentication providers as described in Section 3.4.

2. Log in to Fusion Middleware Control.

   For more information, see Section 1.6.2, "Using Oracle Fusion Middleware Control".

3. From the navigation pane expand the WebLogic Domain folder and select bi.

4. Right-click bi and select Security, then Security Provider Configuration to display the Security Provider Configuration page.

   
   

5. Expand Security Store Provider and Identity Store Provider, and click Configure to display the Identity Store Configuration page.

   
   

6. In the Custom Properties area, use the Add option to add the following custom properties:

   • Property Name=virtualize

     Value=true

   • Property Name=OPTIMIZE_SEARCH

     Value=true

   Note:

   The Property Name virtualize must be lowercase, and OPTIMIZE_SEARCH must be uppercase.

   Note:

   If you are using multiple authentication providers, go to Section 3.4, "Configuring Oracle Business Intelligence to Use Alternative Authentication Providers" and configure the Control Flag setting as follows:

   • If each user appears in only one authentication provider.

     Set the value of Control Flag for all authentication providers to SUFFICIENT.

   • If users appear in more than one authentication provider.

     Set the value of Control Flag for all authentication providers to OPTIONAL.

     For example, if a user's group membership is spread across more than one authentication provider

7. Click OK to save the changes.

8. Restart the Administration Server and Managed Servers.

3.4.7 Configuring Multiple Authentication Providers so that When One Fails, Users from Others can Still Log In to Oracle Business Intelligence

If you configure Oracle Business Intelligence to use multiple authentication providers, and one authentication provider becomes unavailable, users from the other authentication providers cannot log in to Oracle Business Intelligence. This section explains how to configure an authentication provider so that when it fails, users from other authentication providers can still log in to Oracle Business Intelligence. For more information, see Section 3.4.6, "Configuring Identity Store Virtualization Using Fusion Middleware Control").

When you cannot log in due to an authentication provider becoming unavailable, the following error message is displayed:

Unable to Sign In
An error occurred during authentication.
Try again later or contact your system administrator

If there is a possibility that one authenticator (from multiple configured authenticators) might become unavailable, and is not critical, use the following procedure to enable users from other authenticators to log in to Oracle Business Intelligence.

To configure multiple authentication providers so that when one fails, users from other authentication providers can still log in to Oracle Business Intelligence:

1. Open the file adapters.os_xml for editing.

   For example, on Windows, the file is located in:

   ORACLE_HOME\user_projects\domains\bi\config\fmwconfig\ovd\default

2. Locate the following element in the file:

   <critical>true</critical>>

   Change the value of the <critical> element to false in the adapters.os_xml file for each authenticator provider that is not critical, as follows:

   <critical>false</critical>

3. Save and close the file.

4. Restart WebLogic Administration Server and Managed Servers.

3.4.8 Setting the JAAS Control Flag Option

When you configure multiple authentication providers, use the JAAS Control Flag for each provider to control how the authentication providers are used in the login sequence. You can set the JAAS Control Flag in the Oracle WebLogic Server Administration Console. For more information, See "Set the JAAS control flag" in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help. You can also use the WebLogic Scripting Tool or Java Management Extensions (JMX) APIs to set the JAAS Control Flag for an authentication provider.

Setting the Control Flag attribute for the authenticator provider determines the ordered execution of the authentication providers. The possible values for the Control Flag attribute are:

• REQUIRED - This LoginModule must succeed. Even if it fails, authentication proceeds down the list of LoginModules for the configured Authentication providers. This setting is the default.

• REQUISITE - This LoginModule must succeed. If other Authentication providers are configured and this LoginModule succeeds, authentication proceeds down the list of LoginModules. Otherwise, control is returned to the application.

• SUFFICIENT - This LoginModule need not succeed. If it does succeed, return control to the application. If it fails and other Authentication providers are configured, authentication proceeds down the LoginModule list.

• OPTIONAL - This LoginModule can succeed or fail. However, if all Authentication providers configured in a security realm have the JAAS Control Flag set to OPTIONAL, the user must pass the authentication test of one of the configured providers.

When additional Authentication providers are added to an existing security realm, by default the Control Flag is set to OPTIONAL. If necessary, change the setting of the Control Flag and the order of Authentication providers so that each Authentication provider works properly in the authentication sequence.

3.4.9 Configuring a Single LDAP Authentication Provider as the Authenticator

This topic explains how to reconfigure Oracle Business Intelligence to use a single LDAP authentication provider, by disabling the default WebLogic Server LDAP authenticator.

When you install Oracle Business Intelligence, the system is automatically configured to use WebLogic Server LDAP as the default authenticator. The install process will automatically generate the required users and groups in WebLogic Server LDAP. However, you may have your own LDAP directory (for example Oracle Internet Directory) that you may want to use as the default authenticator, and disable the WebLogic Server default authenticator. Having a single source authentication provider prevents user names and passwords being derived from multiple authentication sources, which could lead to multiple points of attack, or entry from unauthorizeed users.

This topic contains the following sections:

• Section 3.4.9.1, "Configuring Oracle Internet Directory LDAP Authentication as the Only Authenticator"

• Section 3.4.9.2, "Troubleshooting"

3.4.9.1 Configuring Oracle Internet Directory LDAP Authentication as the Only Authenticator

The examples shown in this section are for configuring Oracle Internet Directory (OID LDAP) but could easily apply to other LDAP authentication providers by using minor changes.

To configure Oracle Internet Directory LDAP authentication as the only authenticator:

• "Task 1 - Enable Backup and Recovery"

• "Task 2 - Configure the System to use WebLogic Server and an Alternative Authentication Provider"

• "Task 3 - Identify or Create Essential Users Required in OID LDAP"

• "Task 4 - Associate OID LDAP Groups with Global Roles in the WebLogic Console"

• "Task 5 - Set User to Group Membership in OID LDAP"

• "Task 6 - Remove the Default Authenticator"

• "Task 7 - Restart the BI Services"

• "Task 8 - Remove WebLogic Server Roles"

• "Task 9 - Stop Alternative Methods of Authentication"

3.4.9.1.1 Task 1 - Enable Backup and Recovery

Before you begin the process of disabling the WebLogic Server LDAP default method of authentication it is strongly recommended that you back up the system first. Otherwise, if you make an error during configuration you may find that you become locked out of the system or cannot restart it.

To enable backup and recovery, during the re-configuration phase, take a copy of the config.xml file in ORACLE_HOME\user_projects\domains\bi\config directory.

As you make changes it is advised that you keep copies of this file.

3.4.9.1.2 Task 2 - Configure the System to use WebLogic Server and an Alternative Authentication Provider

To remove the default WebLogic Server authenticators and use an alternative LDAP source (for example, OID LDAP), you must configure the system to use both WebLogic Server and the alternative method. For more information, see Section 3.4, "Configuring Oracle Business Intelligence to Use Alternative Authentication Providers". Your starting point should be that the WebLogic Server LDAP users (default authenticator) and the new alternative LDAP users are both configured to allow access to Oracle Business Intelligence.

When you have configured the system to enable you to log on as either a WebLogic Server LDAP user or an OID LDAP user, you can then proceed to follow the steps to remove the WebLogic Server default authenticator, as described in these tasks.

3.4.9.1.3 Task 3 - Identify or Create Essential Users Required in OID LDAP

You must ensure that the essential users shown in Table 3-6 are migrated from WebLogic Server LDAP to OID LDAP.

Table 3-6 Essential Users Required in OID LDAP

Standard WebLogic Server Users	New Users Required in OID LDAP
LCMManager,User	OID_LCMManagerUser (this can be any existing OID LDAP user)
For example, weblogic	OID_Weblogic (this can be any existing OID LDAP user)
OracleSystemUser	OracleSystemUser (this user must exist with this name in OID LDAP, which is a fixed requirement of OWSM)

Three users are created during install:

• weblogic (or whatever is specified during install or upgrade, so can be different).

  This administrator user is created during the install (sometimes called weblogic, but can have any name). You need to identify or create an equivalent user in OID LDAP but this user can have any name, which needs to be part of a group called Administrators.

• OracleSystemUser

  This user is specifically required (by Oracle Web Services Manager - OWSM) for the Global Roles mapping, and you must create this user in OID LDAP using this exact name.

3.4.9.1.4 Task 4 - Associate OID LDAP Groups with Global Roles in the WebLogic Console

The global role mappings shown in Table 3-7 must be configured in OID LDAP.

Table 3-7 Global Role Mapping in WebLogic Admin Console

Global Roles	Current WebLogic Server Groups	New OID LDAP Groups Required
Admin	Administrators	OID_Administrators
AdminChannelUsers	AdminChannelUsers	OID_AdminChannelUsers
AppTester	AppTesters	OID_AppTesters
CrossDomainConnector	CrossDomainConnectors	OID_CrossDomainConnectors
Deployer	Deployers	OID_Deployers
Monitor	Monitors	OID_Monitors
Operator	Operators	OID_Operators
OracleSystemRole	OracleSystemGroup	OracleSystemGroup (fixed requirement)

You must associate the global roles from Table 3-7 (displayed in the WebLogic Server Admin Console) with your replacement OID LDAP groups, before you can disable the default WebLogic Server authenticator.

To associate OID LDAP groups with global roles in Oracle WebLogic Server Administration Console:

1. Log in to Oracle WebLogic Server Administration Console, and click Lock & Edit in the Change Center.

   For more information, see Section 1.6.1, "Using Oracle WebLogic Server Administration Console".

2. Select Security Realms from the left pane and click myrealm.

   The default Security Realm is named myrealm.

3. Click Realm Roles.

4. Click Global Roles and expand Roles.

   
   

5. Add a new condition for each Role as follows:

   Note:

   Do not do add a new condition for the Anonymous and Oracle System roles, which can both remain unchanged.

   1. Click View Role Conditions.

   2. Select group from the Predicate List drop down.

   3. Enter your newly-associated OID LDAP group from Table 3-7.

      For example, assign the Admin role to the OID_Administrators role.

      
      

      Note:

      Once you have successfully disable the Default WebLogic Server Authentication you can return here and remove the old WebLogic Server groups (for example, here you would remove Group: Administrators). For more information, see Task 8 - Remove WebLogic Server Roles.

   4. Save your changes.

3.4.9.1.5 Task 5 - Set User to Group Membership in OID LDAP

Now that you have created new users and groups in OID LDAP to replicate the users and groups automatically created in WebLogic Server LDAP you must ensure that these users and groups also have the correct group membership in OID LDAP as shown in Table 3-8.

Table 3-8 User to Group Membership Required in OID LDAP

New OID LDAP User	Is A Member Of These New OID LDAP Groups
OID_Weblogic	OID_Administrators OID_BIServiceAdministrators
OracleSystemUser Note: A user with this exact name must exist in OID LDAP.	OracleSystemGroup Note: A group with this exact name must exist in OID LDAP

Note:

In order to achieve the user and group membership shown in Table 3-8 you must have suitable access to update your OID LDAP server, or someone else must be able to update group membership on your behalf.

3.4.9.1.6 Task 6 - Remove the Default Authenticator

You are now ready to remove the Default Authenticators.

To remove the default authenticators:

You must have first created an LDAP authenticator that maps to your LDAP source (for more information, see Task 2 - Configure the System to use WebLogic Server and an Alternative Authentication Provider).

1. Change the Control Flag from SUFFICIENT to REQUIRED in the Oracle WebLogic Server Administration Console.

   For more information, see Section 3.4.8, "Setting the JAAS Control Flag Option".

   
   

2. Save the changes.

3. Delete any other authenticators so that your OID LDAP authenticator is the single source.

   
   

3.4.9.1.7 Task 7 - Restart the BI Services

Now you are ready to restart the BI services. You must use the new OID administrator user (for example, OID_Weblogic), because the WebLogic Server administration user created during installation was removed, and users now exist in the single OID source. The OID administration user must have sufficient privileges (granted by the Global Admin role) to start WebLogic.

Note:

When you log in to the Administration Tool online you must now provide the OID LDAP user and password (for example, OID_Weblogic) along with the repository password.

3.4.9.1.8 Task 8 - Remove WebLogic Server Roles

Complete this task if everything is working correctly.

Note:

Back up your config.xml, now, before performing this step (see Task 1 - Enable Backup and Recovery)

To remove all automatically created WebLogic server roles from the OR clause:

1. Edit global roles.

   For more information, see Task 4 - Associate OID LDAP Groups with Global Roles in the WebLogic Console.

2. Remove all WebLogic Server roles that were automatically created, from the OR clause.

   For example:

   • Admin

   • AdminChannelUsers

   • AppTester

   • CrossDomainConnector

   • Deployer

   • Monitor

   • Operator

3. Save your changes.

3.4.9.1.9 Task 9 - Stop Alternative Methods of Authentication

Oracle Business Intelligence allows various forms of authentication methods to be applied at once. While some can see this as a desirable feature it also comes with security risks. To implement a single source of authentication, you must remove the authentication methods that use initialization blocks from the Metadata Repository.

To stop all initialization block authentication access:

You stop access through initialization blocks using the Oracle BI Administration Tool. Successful authentication requires a user name, and initialization blocks populate user names using the special system session variable called USER.

1. Remove the USER System Variable from the Metadata Repository.

2. Ensure that initialization blocks in the Metadata Repository have the Required for authentication check box cleared.

3. Check that initialization blocks in the Metadata Repository that set the system session variables PROXY and PROXYLEVEL do not allow users to bypass security.

   The system variables PROXY and PROXYLEVEL allow connected users to impersonate other users with their security profile. This method is acceptable when the impersonated user account has less privileges, but if the account has more privileges it can be a security issue.

Caution: If you disable an initialization block, then any dependent initialization blocks will also be disabled.

You can now be sure that any attempted access using initialization block authentication cannot be successful. However, you must check all of your initialization blocks.

3.4.9.2 Troubleshooting

You might receive the following error after you have configured Oracle Internet Directory LDAP authentication as the single source:

<Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed.

Reason: weblogic.security.SecurityInitializationException: User <oidweblogic> is not permitted to boot the server. The server policy may have changed in such a way that the user is no longer able to boot the server. Reboot the server with the administrative user account or contact the system administrator to update the server policy definitions.

Solution

If when you restart the system as the new WebLogic OID LDAP administrator (oidweblogic), you are locked out, and the message is displayed, it is because the oidweblogic user has insufficient privileges. The oidweblogic user requires the Admin global role to enable it to belong to an OID LDAP Administrator group. You resolve this issue by adding the BIServiceAdministrators group (or an OID LDAP equivalent) to the Admin global role.

Note:

To restore a previously working configuration, you must replace the latest updated version of the config.xml file with a backup version that you have made before changing the configuration (for more information, see Task 1 - Enable Backup and Recovery).

To complete the restoration of the backup config.xml file, restart Oracle Business Intelligence as the original WebLogic administrator user, instead of as the OID LDAP user.

3.5 Resetting the BI System User Credential

In 11g a user called BISystemUser was created in the embedded WebLogic LDAP, but in 12c this user no longer exists and has been replaced with a single credential. This credential is populated with securely-generated random values at BI domain creation time and is stored in the Credential Store. If at any time you need to reset the user name or password of this credential, follow these steps.

To reset the BI System User credential:

1. From the Fusion Middleware Control target navigation pane, expand the farm, then expand WebLogic Domain, and select bi.

   • From the WebLogic Domain menu, select Security, then Credentials.

   • Open the oracle.bi.system credential map, select system.user and click Edit.

     
     Description of the illustration ''bisystem_cred.gif''
     
     

   • In the Edit Key dialog, update the user name or password as required. Ensure that these values do not match the credentials of a user in your Identity Store.

     
     

   • Click OK.

2. Restart the system