11 Managing Security in Oracle Data Integrator

This chapter describes how to set up security in Oracle Data Integrator. It includes an overview of Oracle Data Integrator security concepts and components.

This chapter includes the following sections:

11.1 Introduction to Oracle Data Integrator Security

Oracle Data Integrator security is used to secure any action performed by authenticated users against the design-time and run-time artifacts and components of Oracle Data Integrator.

The Oracle Data Integrator security model is based on granting privileges on methods, objects types, or specific object instances to users.

All the security information for Oracle Data Integrator is stored in the master repository.

This section contains the following topics:

11.1.1 Objects, Instances, and Methods

An object is a representation of a design-time or run-time artifact handled through Oracle Data Integrator. Examples of objects include agents, projects, models, data stores, scenarios, mappings, and even repositories. Specific objects have a double name, such as Agent/Context and Profile/Method. These objects represent links between objects. These links are also objects. For instance, Agent/Context corresponds to a physical/logical agent association made through the contexts. Privileges on this object enable the ability to change this association in the topology.

An instance is a particular occurrence of an object. For example, the Datawarehouse project is an instance of the Project object.

A method is an action that can be performed on an object, such as edit, delete, and so on. Each object has a predefined set of methods.

Note:

The notions of object instance and method in Oracle Data Integrator are similar to the same concepts used in object-oriented programming.

CAUTION:

Although they appear in the Security Navigator, objects and methods are predefined in Oracle Data Integrator and should not be altered.

11.1.2 Profiles

A profile contains a set of privileges for working with Oracle Data Integrator. You can assign one or more profiles to a user, or to a role, to grant the sum of the privileges in those profiles to that user or role.

A profile method is an authorization granted to a profile on a method of an object type. Each granted method allows a user with this profile to perform an action on all instances of an object type.

In Oracle Data Integrator Studio, methods granted to a profile appear under this profile in the Profiles navigation tree of the Security Navigator. When a method does not appear for a given profile, this profile does not have access to this method.

A method can be granted as a generic or nongeneric privilege:

  • A method granted as a generic privilege is granted by default on all the instances of this object.

  • A method granted as a nongeneric privilege is not granted by default on all object instances, but may be granted on a per instance basis.

Generic vs. Nongeneric Profiles

Generic profiles have the generic privilege option selected for all object methods. This implies that a user, or role, with such a profile is by default authorized for all methods of all instances of an object to which the profile is authorized.

Nongeneric profiles are not by default authorized for all methods on the instances because the generic privilege option is not selected for all object methods. You must grant the user, or role, the rights on the methods for each instance.

If you want a user, or role, to have the rights on no instance by default, but want to grant the rights on a per instance basis, the user or role must be given a nongeneric profile.

If you want a user or role to have the rights on all instances of an object type by default, you must give the user or role a generic profile.

Built-In Profiles

Oracle Data Integrator contains built-in profiles that you can assign to the users or roles you create.

Table 11-1 shows the built-in profiles provided by Oracle Data Integrator.

Table 11-1 Built-In Profiles

Profile Name Description

CONNECT

Profile granted with the basic privileges to connect to Oracle Data Integrator. It should be granted with another profile.

CONSOLE

Profile granted with privileges to use the Oracle Data Integrator Console.

DESIGNER

Profile granted with privileges to perform development operations. Use this profile for users who will work mainly on projects.

METADATA_ADMIN

Profile granted with privileges to manage metadata. Use this profile for users that will work mainly on models.

NG_CONSOLE

Nongeneric version of the CONSOLE profile.

NG_DESIGNER

Nongeneric version of the DESIGNER profile.

NG_METADATA_ADMIN

Nongeneric version of the METATADA_ADMIN profile.

NG_VERSION_ADMIN

Nongeneric version of the VERSION_ADMIN profile.

OPERATOR

Profile granted with privileges to manage run-time objects. Use this profile for production users.

RELEASE_MANAGER

Profile granted with privileges to perform release management tasks through deployment archives.

SECURITY_ADMIN

Profile granted with privileges to edit security. Use this profile for security administrators.

TOPOLOGY_ADMIN

Profile granted with privileges to edit the Topology. Use this profile for system or Oracle Data Integrator administrators.

VCS_ADMIN

Profile granted with privileges to configure SVN systems, create tags, and branches.

VERSION_ADMIN

Profile granted with privileges to create, restore and edit versions and solutions. Use this profile for project managers, or developers who are entitled to perform version management operations.

Note:

Oracle recommends not modifying built-in profiles because they evolve to secure new features of Oracle Data Integrator. If you want to customize your own profiles or existing profiles, Oracle recommends that you create copies of the built-in profiles and then customize those copies.

11.1.3 Users

A user is an Oracle Data Integrator user. A user inherits the following privileges:

  • All the privileges granted to its various profiles

  • Privileges on objects or instances, or both, given to this user

A user method is a privilege granted to a user on a method of an object type. Each granted method allows the user to perform an action (edit, delete, and so forth) on instances of an object type (project, model, data store, and so forth). These methods are similar to profiles methods, but applied to users.

You can grant users with privileges on instances on specific work repositories where these instances exist. For example, you may grant a developer user with the edit privilege on the LOAD_DATAWAREHOUSE scenario on the a DEVELOPMENT repository and not on a PRODUCTION repository.

You grant an authorization by object instance to a user on an object instance. It allows you to grant to this user certain methods of this object instance.

An authorization by object instance for a given instance that appears in a user's tree indicates that the user is granted specific privileges on the object methods for the given instance. You specify these privileges in the object instance editor. If an instance is not visible in the tree of the user instances, then the User Method or Profile Method privileges for the object type apply.

Because an instance may be replicated over the different work repositories that are attached to the master repository, you can define authorizations by object instances for one, several, or all your work repositories that are attached to this master repository. For example, you can replicate a LOAD_DATAWAREHOUSE scenario instance (using, for example, versioning) in the DEVELOPMENT, TEST, and PRODUCTION repositories. Privileges on the instance can change depending on the repository. For example, it is common to replicate projects from a development repository to a test repository. You can grant edit privileges to a developer for that developer's project in the development repository, but not in the test repository. In the test repository, the developer is granted with only view privileges on the project.

11.1.4 Roles

If Oracle Data Integrator is configured to use external authentication (see "Configuring External Authentication"), you can leverage the enterprise role integration feature in Oracle Data Integrator. Enterprise role integration in Oracle Data Integrator is based on the authorization model in Oracle Platform Security Services (OPSS). This feature allows you to map enterprise roles to Oracle Data Integrator roles, enabling enterprise users of a particular enterprise role to access Oracle Data Integrator through the permissions granted to the Oracle Data Integrator roles in the mapping.

Enterprise role integration in Oracle Data Integrator enables you to:

  • Create a set of Oracle Data Integrator roles.

  • Grant Oracle Data Integrator privileges (instance level and type level) and profiles to Oracle Data Integrator roles.

  • Map enterprise principals — that is, users or roles — defined in an external identity store to Oracle Data Integrator roles.

  • Determine the privileges granted to a user who is authenticated into Oracle Data Integrator by evaluating all the Oracle Data Integrator roles to which the user is mapped directly or indirectly through enterprise roles. (Privileges are automatically calculated during authorization.).

For an introduction to enterprise roles, see "Understanding Users and Roles" in Securing Applications with Oracle Platform Security Services. For details about how enterprise role integration works in Oracle Data Integrator and how you can manage roles in Oracle Data Integrator Studio, see "Mapping Principals Defined in an Identity Store to Oracle Data Integrator Roles".

11.2 User Management

This section explains how to use the different security capabilities to enforce security in Oracle Data Integrator.

This section contains the following topics:

11.2.1 Security Policy Approaches

Two main approaches are available for defining the security in Oracle Data Integrator:

  • The strongly secured approach, where users have no default authorizations on objects. This approach uses only nongeneric profiles. The security administrator must grant users authorizations on object instances. This policy is complex to configure because it requires managing privileges by instance.

  • The generic approach, where users inherit the privileges of the profiles they have. This policy is suitable in most cases and is simple to configure.

To implement a strongly secured approach:

  1. Create the users.

  2. Give the users nongeneric profiles (built-in or customized).

  3. Grant the users privileges on object instances after those instances are created. This operation must be repeated for every new instance.

To implement a generic approach:

  1. Create the users.

  2. Give the users the generic profiles (built-in or customized).

Note:

It is possible to combine the two approaches by simultaneously using generic and non generic profiles. For example, by using DESIGNER and NG_METADATA_ADMIN for the users, you manage projects in a generic approach, and manage models in a strongly secured approach.

11.2.2 Managing Profiles

You can create, delete, or duplicate profiles. Creating and duplicating profiles enables you to customize the profiles assigned to users. The following topics provide the steps for performing these procedures in Oracle Data Integrator Studio.

11.2.2.1 Creating a New Profile

To create a profile:

  1. In Security Navigator, expand the Profiles navigation tree.

  2. Click New Profile in the toolbar of the Profiles navigation tree.

  3. In the Name field, enter a name for your profile.

  4. From the File main menu, select Save.

The new profile appears.

11.2.2.2 Duplicating a Profile

To duplicate a profile:

  1. In Security Navigator expand the Profiles navigation tree.

  2. Select the profile that you want to duplicate from the list of profiles.

  3. Right-click and select Duplicate.

A new profile appears, which is a copy of the original profile.

11.2.2.3 Deleting a Profile

To delete a profile:

  1. In Security Navigator expand the Profiles navigation tree.

  2. Select the profile that you want to delete from the list of profiles.

  3. Right-click and select Delete.

  4. Click OK in the Confirmation dialog.

The profile disappears from the list. All users granted with this profile lose the privileges attached to this profile.

11.2.3 Managing Users

The way in which you manage users depends, in part, on where the user is defined. By default, a user corresponds to the login name used to connect to a repository and is persisted in the internal repository of Oracle Data Integrator. However, if external authentication is enabled for Oracle Data Integrator components:

  • Users authenticated into Oracle Data Integrator are created and managed in an external identity store, such as Oracle Internet Directory. You use the tools and utilities provided with that store to create, update, and delete users.

  • To let external users access Oracle Data Integrator, you can do any of the following:

    • Map the external user to an Oracle Data Integrator role.

    • Map any of the enterprise roles to which this external user belongs to an Oracle Data Integrator role.

    • Register the external user in Oracle Data Integrator using the Security Navigator as in prior releases.

  • You can assign profiles or other security privileges directly to external users who are registered in Oracle Data Integrator. Or you can assign profiles or other security privileges to an Oracle Data Integrator role, and then map external users (or any of the external users' enterprise roles) to that Oracle Data Integrator role. By doing the latter, an external user can inherit all the profiles or privileges granted to the Oracle Data Integrator role.

    You can also map an enterprise user (or the user's enterprise roles) to multiple Oracle Data Integrator roles. When a user is authenticated, Oracle Data Integrator calculates the user's privileges as a union of all the privileges granted to all the Oracle Data Integrator roles in the mapping.

For more information about external authentication, see "Configuring External Authentication". For more information about enterprise role integration, see "Mapping Principals Defined in an Identity Store to Oracle Data Integrator Roles".

11.2.3.1 Creating a New User in the Internal Repository

To create a user in the internal repository of Oracle Data Integrator:

  1. In Security Navigator expand the Users navigation tree.

  2. Click New User in the toolbar of the Users navigation tree.

  3. In the Name field, enter a name for your user.

  4. Provide the Initials for this user.

  5. Do one of the following:

    • If using internal authentication, click Enter the Password and provide a password for this user.

    • If using external authentication, click Retrieve GUID to associate the new user with a user from the external identity store. The user name in Oracle Data Integrator must match the user name in the identity store. If a match is found, a Global Unique ID appears in the External GUID field.

  6. From the File main menu, select Save.

The new user appears in the Users navigation tree. From the User editor, an ODI supervisor user can disable other ODI user accounts including other supervisor accounts.

WARNING:

At least one supervisor user account should be maintained at all times. If all supervisor user accounts expire, contact Oracle Support.

11.2.3.2 Assigning a Profile to a User

To assign a profile to a user:

  1. In Security Navigator expand the Users and the Profiles navigation trees.

  2. Select the profile that you want to assign, then drag it on the user you want to assign it to.

  3. Click OK in the Confirmation dialog.

The profile appears under the profiles of this user. The user is immediately granted the privileges attached to this profile.

Note:

If external authentication is enabled, you can assign profiles to roles. Users who are defined in a given Oracle Data Integrator role are granted all the profiles assigned to that role. Enterprise role integration gives you a more convenient and coarse-grained approach to managing the privileges granted to users. For more information, see "Assign Privileges or Profiles to Oracle Data Integrator Roles".

11.2.3.3 Removing a Profile from a User

To remove a profile from a user:

  1. In Security Navigator expand the Users navigation tree.

  2. Expand the Profiles node under the user.

  3. Right-click the profile to be removed.

  4. Select Delete.

  5. Click OK in the Confirmation dialog.

The profile disappears from the list of profiles assigned to this user. All privileges granted to this user by this profile are removed.

Note:

If external authentication is enabled, you can remove profiles from roles. Users who are defined in a given Oracle Data Integrator role are granted only the profiles assigned to that role. For more information, see "Assign Privileges or Profiles to Oracle Data Integrator Roles".

11.2.3.4 Deleting a User from the Internal Repository

To delete a user that is defined in the internal repository of Oracle Data Integrator:

  1. In Security Navigator expand the Users navigation tree.

  2. From the list of users, select the user that you want to delete.

  3. Right-click and select Delete.

  4. Click OK in the Confirmation window.

The user disappears from the list.

11.2.3.5 Viewing User Connection Information

To view user connection information:

  1. From the Security Navigator toolbar menu, select Review User Activity....
    The User Connections dialog appears.

  2. Enter the filter criteria to view relevant user connection information and click Filter.

User connections are displayed in the Connections section, based on the set filter criteria.

11.2.4 Managing Privileges

After creating users and profiles, you can grant privileges to these users and profiles. You can grant profile methods and user methods that apply to object types, and you can also grant authorizations by object instances (for users only) that apply to specific object instances.

Note:

If external authentication is enabled for Oracle Data Integrator components, you can manage privileges for users more conveniently by using the enterprise role integration feature. For more information, see "Using the Roles Editor".

11.2.4.1 Granting a Profile Method or User Method

To grant a profile method or user method:

  1. In Security Navigator expand the Users or Profiles navigation tree.

  2. Expand the Objects navigation tree, and expand the node of the object for which you want to grant a privilege.

  3. Select the method that you want to grant, then drag it on the user or profile you want to grant the method to.

  4. Click OK in the Confirmation window.

The method is granted to the user or the profile. The method appears either under the objects node of this user or under the profile.

Note:

You can grant privileges on all the methods of an object by dragging the object itself onto the user or profile instead of dragging one of its methods.

11.2.4.2 Revoking a Profile Method or User Method

To revoke a profile method or user method:

  1. In Security Navigator expand the Users or Profiles navigation tree.

  2. Expand the Profiles or the Objects node under the user for which you want you revoke privileges, then expand the object whose method needs to be revoked.

  3. Right-click the method and then select Delete.

  4. Click OK in the Confirmation dialog.

The method is revoked from the user or the profile. It disappears from the methods list under the objects node of this user or profile.

11.2.4.3 Granting an Authorization by Object Instance

To grant an authorization by object instance to a user:

  1. In Security Navigator expand the Users navigation tree.

  2. In the Designer, Operator, or Topology Navigator, expand the navigation tree containing the object to which you want to grant privileges.

  3. Select this object, then drag it onto the user in the Users navigation tree. The authorization by object instance editor appears. This editor shows the list of methods available for this instance and the instances it contains. For example, if you grant privileges on a project instance, the folders and mappings contained in this project appear in the editor.

  4. Fine tune the privileges granted per object and method. You may want to implement the following simple privilege policies on methods that you select from the list:

    • To grant all these methods in all repositories, click Allow selected methods in all repositories.

    • To deny all these methods in all repositories, click Deny selected methods in all repositories.

    • To grant all these methods in certain work repositories, click Allow selected methods in selected repositories, then select the repositories from the list.

  5. From the File main menu, select Save.

Note:

Only certain objects support authorization by object instance. These object types are listed under the Instances node for each user.

Methods for which the user has generic privileges are not listed in the Object Instance Editor.

11.2.4.4 Revoking an Authorization by Object Instance

To revoke an authorization by object instance from a user:

  1. In Security Navigator expand the Users navigation tree.

  2. Expand the Instances node under the user for which you want you revoke privileges.

  3. Right-click the instance from which you want to revoke an authorization, and then select Delete.

  4. Click OK in the Confirmation dialog.

The authorizations on this object instance are revoked from the user.

Note:

You can also revoke privileges per method by editing the Authorization by Object instance and denying certain methods to this user. After this operation, if the user no longer has any privilege on an instance, the instance automatically disappears from the tree in Security Manager.

11.2.4.5 Cleaning up Unused Authorizations

Authorizations by object instance are stored in the master repository. However, if objects are deleted from all work repositories, the authorization are not necessarily deleted. You may wish to retain certain unused authorizations; for example, if they refer to objects currently stored in an exported file or in a stored solution.

You should use the Security Clean-up Tool periodically to remove these unused authorizations from the master repository. Unused authorizations are removed if they refer to objects that do not exist in the master repository or in any work repository.

Note:

All work repositories attached to the master repository must be accessible so that you can verify the existence of the objects in those repositories

To clean up unused authorizations:

  1. From the Security Navigator toolbar menu, select Clean Up Security Settings.... The Security Clean-up Tool dialog appears.

  2. On the Cleanable tab, select Clean for the cleanable security settings you want to remove. The security settings that cannot be removed are shown on the Non-cleanable tab.

  3. Click OK to clean up the selected security settings.

11.3 Advanced Encryption Standard

Oracle Data Integrator 12c (12.1.3) has strengthened security by using the Advanced Encryption Standard (AES), a Federal Information Processing Standard. The AES algorithm is a block cipher that can be used to encrypt and decrypt digital information. The AES algorithm is capable of using cryptographic keys of 128, 192, and 256 bits. ODI uses AES-128 for password encryption and you can also configure ODI to use AES-256.

AES is a symmetric block encryption algorithm and a secret key or master key is used when AES transforms plaintext to ciphertext and conversely when ciphertext is converted to plaintext. Due to security considerations, the master key must be generated automatically and cannot be hard coded. ODI generates a master key string for the AES algorithm during the creation of a master repository. Different repositories have different master keys and when ciphertext is migrated from one repository to another in ODI, you must provide an export key. The export key is used to encrypt any sensitive data that is contained in the exported object. For more information, see "Export Keys" in Developing Integration Projects with Oracle Data Integrator.

Note:

To use AES-256, you must download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files from the Oracle Java Download site, accept the download terms and conditions, and then replace the existing policy files with the downloaded policy files in JRE_HOME/lib/security.

11.4 Using a Password-Protected Wallet for Storing Login Credentials

Prior to logging in to Oracle Data Integrator Studio for the first time, you must create a login name for which you specify your Oracle Data Integrator login credentials. These credentials include your Oracle Data Integrator user name and password, and also the Oracle Data Integrator master repository database user name and password. Oracle Data Integrator can save these credentials in either an encrypted login XML file or a password-protected wallet. By default, they are saved in a password-protected wallet.

The use of password-protected wallets for storing database login credentials is strongly recommended by Oracle. To generate password-protected wallets, Oracle Data Integrator leverages the Oracle Wallet features in Oracle Platform Security Services (OPSS). Password-protected wallets use a strong encryption algorithm to secure the wallet's contents.

Note the following about using the password-protected wallet in Oracle Data Integrator Studio:

  • When you create the wallet, you specify the wallet password and the days until the password expires. Oracle Data Integrator then stores the repository login credentials in the wallet.

  • When you connect to an Oracle Data Integrator repository, you need only to enter the wallet password. All repository login credentials are then automatically retrieved from the wallet.

  • The wallet file is named ewallet.p12 and is placed in the following directory:

    Windows: %APPDATA%\odi\oracledi\ewallet

    UNIX: $HOME/.odi/oracledi/ewallet

    Note:

    Depending on your environment, you might first need to create the root directory for the wallet. For more information, see "Creating the Password-Protected Wallet".

  • When the wallet password expires, Oracle Data Integrator Studio automatically prompts you to enter a new one when you attempt to log in to Studio.

  • You can change the wallet password and expiration at any time from Studio.

The following sections explain how to create and use the password-protected wallet for storing Oracle Data Integrator login credentials:

11.4.1 Creating the Password-Protected Wallet

When logging in to Studio for the first time, you can create the password-protected wallet using the following steps:

  1. Create the root directory on your machine for storing the wallet, if it does not already exist.

    Windows:

    On Windows machines, you must create the root directory path odi\oracledi in the location represented by the environment variable %APPDATA%. For example:

    c:\> mkdir %APPDATA%\odi\oracledi

    UNIX:

    On UNIX machines, you must create the root directory path .odi/oracledi in the location represented by the environment variable $HOME. For example:

    prompt> mkdir -p $HOME/.odi/oracledi/

  2. Change to the ORACLE_HOME/odi/studio directory.

  3. Launch Oracle Data Integrator Studio by running the following command:

    Windows:

    odi.exe

    UNIX:

    ./odi.sh

    The Studio main window is displayed.

  4. Click Connect to Repository...

    The New Wallet Password dialog box is displayed, shown in Figure 11-1.

    Figure 11-1 New Wallet Password Dialog Box

    Description of Figure 11-1 follows
    Description of ''Figure 11-1 New Wallet Password Dialog Box''

  5. Choose the default option, Store passwords in a secure wallet, then enter the password in the Wallet Password and Confirm Wallet Password fields.

    Optionally, you can change the password expiration.

  6. Click OK.

    You are then prompted to enter login credentials for the master repository. For more information about the required credentials, see "Creating the Master Repository".

Subsequently, each time you log in to Studio and connect to a repository, you are prompted for the wallet password.

11.4.2 Permitting Repository Access to Other Users

To give Oracle Data Integrator users access to the repository, you can distribute the password-protected wallet to them in either of the following ways:

  • Provide each user with a copy of the ewallet.p12 file you created, along with the password you specified.

  • Create an individual password-protected wallet for each Oracle Data Integrator user. This allows you to set a different password for each wallet.

When creating a wallet for other users, be sure to do the following:

  1. Prior to creating a new wallet, move the existing ewallet.p12 file to a different directory.

  2. When creating a wallet for other users, set the expiration to 0 days. This way, when users connect to the repository for the first time, they are prompted to set a new password for their wallets (see "Changing the Wallet Password").

All password-protected wallet files for Oracle Data Integrator Studio must be named ewallet.p12 and must be placed in the ~oracledi/ewallet directory on each machine from which it is used, as explained in "Creating the Password-Protected Wallet".

11.4.3 Changing the Wallet Password

When the wallet password expires, you are automatically prompted to enter a new one when you try to connect to a repository. However, you can also change the wallet password from Studio at any time, as follows:

  1. Launch Oracle Data Integrator Studio.

  2. From the ODI menu, choose Change Wallet Password....

    The Change Wallet Password dialog box is displayed, shown in Figure 11-2.

    Figure 11-2 Change Wallet Password Dialog Box

    Description of Figure 11-2 follows
    Description of ''Figure 11-2 Change Wallet Password Dialog Box''

  3. Enter the current password and the new password, then confirm your new password.

    Optionally, you can also change the expiration.

  4. Click OK.

11.4.4 Customizing How Login Credentials Are Saved

Oracle Data Integrator Studio provides the following options for storing login credentials:

  • You can enable or disable the saving of login credentials.

  • If login credentials are being saved, you can choose between saving them in a password-protected wallet or a login XML file.

To change whether or how login credentials are saved, complete the following steps:

  1. Launch Oracle Data Integrator Studio.

  2. From the Tools menu, choose Preferences...

    The Preferences dialog box is displayed.

  3. In the Preferences dialog box, expand the ODI node, then select User Interface.

    The Preferences dialog box, shown in Figure 11-3, displays the following options for saving login credentials:

    • Save Login Credentials — Select this option to save credentials.

    • Save Login Credentials into Wallet — Select this option to store the Oracle Data Integrator login credentials in a password-protected wallet.

      If Save Login Credentials is selected, but Save Login Credentials into Wallet is deselected, login credentials are saved in a login XML file.

    By default, both options are selected, which is the setting recommended by Oracle.

  4. If you change any preferences, click OK.

Figure 11-3 Preferences Dialog Box for Saving Login Credentials

Description of Figure 11-3 follows
Description of ''Figure 11-3 Preferences Dialog Box for Saving Login Credentials''

11.5 Setting Up External Password Storage

Oracle Data Integrator stores by default all security information in the master repository. This password storage option is called internal password storage.

Oracle Data Integrator can optionally use OPSS for storing critical security information. When using OPSS with Oracle Data Integrator, the data server passwords and context passwords are stored in the OPSS Credential Store Framework (CSF). This password storage option is called external password storage.

Note:

When using external password storage, other security details such as user names, password, and privileges remain in the master repository. It is possible to externalize the authentication and have users and password stored in an identity store using external authentication. Note also: The external password storage option is unrelated to the external authentication feature. For more information about external authentication, see "Configuring External Authentication".

To use the external password storage option:

  1. You need to install a WebLogic Server instance configured with OPSS.

  2. All Oracle Data Integrator components, including the run-time agent, need to have access to the remote credential store.

See "Configuring Java EE Applications to Use OPSS" in Securing Applications with Oracle Platform Security Services for more information.

11.5.1 Setting the Password Storage

There are four ways to set or modify the password storage:

11.5.2 Switching the Password Storage

Switching the password storage of the Oracle Data Integrator repository changes how data servers and contexts passwords are stored. This operation must be performed by a SUPERVISOR user.

Use the Switch Password Storage wizard to change the password storage options of the data server passwords.

Before launching the Switch Password Storage wizard perform the following tasks:

  • Disconnect Oracle Data Integrator Studio from the repository.

  • Shut down every component using the Oracle Data Integrator repository.

To launch the Switch Password Storage wizard:

  1. From the ODI main menu, select Password Storage > Switch...

  2. Specify the login details of your Oracle Data Integrator master repository as defined when connecting to the master repository (see: "Connecting to the Master Repository").

  3. Click Next.

  4. Select the password storage:

    • Select Internal Password Storage if you want to store passwords in the Oracle Data Integrator repository.

    • Select External Password Storage if you want use OPSS Credential Store Framework (CSF) to store the data server and context passwords.

      If you select external password storage, you must provide the MBean Server Parameters to access the credential store described in Table 11-2, and then click Test Connection check the connection to the MBean Server.

      Table 11-2 MBean Server Parameters

      Server Host JMX Port User Password

      From the list, select the application server.

      MBeans server host. For example, mymachine.oracle.com

      MBeans Server Port. For example, 7001

      MBeans Server user name. For example, weblogic

      MBean server password

  5. Click Finish.

The password storage options have been changed. You can now reconnect to the Oracle Data Integrator repository.

11.5.3 Recovering the Password Storage

Oracle Data Integrator offers a password recovery service that should be used only in case of an external password storage crash. Using this procedure, password storage is forced to internal password storage because external storage is no longer available. This operation should be performed by a supervisor user.

CAUTION:

When performing a password storage recovery, passwords for context, data servers, JDBC password of the work repository and Enterprise Scheduler related passwords are lost and need to be re-entered manually in Topology Navigator.

Use the Recover Password Storage wizard to start the password recovery.

To launch the Recover Password Storage wizard:

  1. From the ODI main menu, select Password Storage > Recover...

  2. Specify the login details of your Oracle Data Integrator master repository defined when connecting to the master repository (see: "Connecting to the Master Repository").

  3. Click Finish.

  4. Re-enter manually data server and context passwords. Refer to "Setting Up a Topology" for more information.

11.6 Managing the Authentication Mode

By default, Oracle Data Integrator users are authenticated using the identity information contained in the master repository. However, Oracle Data Integrator users can be authenticated using an external authentication service instead: Using Oracle Platform Security Services (OPSS), Oracle Data Integrator users are authenticated against an external enterprise identity store (for example, an LDAP server such as Oracle Internet Directory or Microsoft Active Directory), which contains enterprise users and enterprise roles in a central place.

When external authentication is enabled, the master repository retains the Oracle Data Integrator specific privileges. External users do not need to be created in Oracle Data Integrator's internal repository. Instead, external user credentials rely on a centralized identity store, and authentication always takes place against this external store.

The authentication mode (internal or external) can be defined when you create the repository, and can also be switched for existing repositories, as explained in "Setting the Authentication Mode in the Master Repository".

For details about configuring external authentication, see "Configuring External Authentication".

11.6.1 Setting the Authentication Mode in the Master Repository

There are two ways to set the authentication mode:

Note:

Before you can select external authentication mode in the master repository, you must configure external authentication, as explained in "Configuring External Authentication".

11.7 Configuring External Authentication

By default, Oracle Data Integrator stores all user information as well as users' privileges in the master repository. When a user logs to Oracle Data Integrator, it authenticates against the master repository. This authentication method is called internal authentication.

However, you can customize Oracle Data Integrator to use Oracle Platform Security Services (OPSS) to authenticate users that are defined in an enterprise identity store, which is typically an LDAP server such as Oracle Internet Directory or Microsoft Active Directory. The identity store contains enterprise user information and enterprise roles. Such an identity store is used at the enterprise level by applications to have centralized user definitions and to support single sign-on (SSO). In Oracle Data Integrator, this authentication method is called external authentication. Configuring external authentication enables you to leverage the standard Java Security Model authentication and authorization services that are provided by OPSS. When using external authentication, ODI uses the LDAP common name (cn) attribute to match ODI users to LDAP users.

To use external authentication, you need to configure an enterprise identity store and also configure each Oracle Data Integrator component to refer to that identity store.

Note:

When using external authentication, only users and passwords are externalized. Oracle Data Integrator privileges remain within the repository.

The following sections explain how to set up external authentication for the Studio and the Standalone agent:

11.7.1 Configuring Oracle Data Integrator Studio for External Authentication

To configure Oracle Data Integrator Studio with external authentication, you must do the following:

  1. Set Up the OPSS Configuration File

  2. Create a Wallet File for an LDAP Bootstrap User

  3. Set External Authentication when Creating the Master Repository

11.7.1.1 Set Up the OPSS Configuration File

The configuration to connect and use the identity store is contained in the OPSS configuration file, called jps-config-jse.xml. To configure Oracle Data Integrator components with external authentication, you must set up this configuration file to correspond to the external identity store that you plan to use.

To set up the OPSS configuration file, complete the following steps:

  1. Create the odi/oracledi directory on your machine, if it does not already exist. For example:

    Windows:

    c:\> mkdir %APPDATA%\odi\oracledi

    UNIX:

    prompt> mkdir -p $HOME/.odi/oracledi/

  2. Copy the following files into the odi/oracledi directory:

    • ORACLE_HOME/oracle_common/modules/oracle.jps_12.1.2/domain_config/jse/jps-config.xml

    • ORACLE_HOME/oracle_common/modules/oracle.jps_12.1.2/domain_config/jse/system-jazn-data.xml

  3. Change to the odi/oracledi directory.

  4. Rename jps-config.xml to jps-config-jse.xml.

  5. Open jps-config-jse.xml in an editor.

  6. Add a service instance for the identity store provider and include the following properties:

    • The service instance name. For example, for Oracle Internet Directory, name="idstore.oid".

    • The idstore.type property.

    • The bootstrap.security.principal.map property.

    • The bootstrap.security.principal.key property.

    For an example service instance configuration, see Example 11-1.

    For details about specifying these properties for your identity store, see "LDAP Identity Store Properties" in Securing Applications with Oracle Platform Security Services.

  7. In the default jps context, change the serviceInstanceRef name="idstore.xml" value to "idstore.<your-idstore-type>", as in the following example that sets the identity store type for Oracle Internet Directory:

     <serviceInstanceRef ref="idstore.oid"/>

  8. Comment out the keystore and audit service instance references in the default jps context. For example:

    <jpsContext name="default"> 
 <serviceInstanceRef ref="credstore"/>
<!--  <serviceInstanceRef ref="keystore"/>  --> 
<serviceInstanceRef ref="policystore.xml"/> 
<!--  <serviceInstanceRef ref="audit"/>  -->

  9. Set any additional property attribute values as appropriate for your identity store. For complete details about the OPSS configuration file, see "Configuring Java SE Applications to Use OPSS" in Securing Applications with Oracle Platform Security Services for more information.

Example 11-1 shows the configuration of Oracle Internet Directory in the service instance section of the configuration file.

Example 11-1 Example Service Instance Configuration

<!-- OID LDAP Identity Store Service Instance -->
  <serviceInstance name="idstore.oid" provider="idstore.ldap.provider">
  <property name="subscriber.name" value="dc=us,dc=oracle,dc=com" />
  <property name="idstore.type" value="OID" />
   <property name="bootstrap.security.principal.map" value="BOOTSTRAP_JPS"/>
   <property name="bootstrap.security.principal.key" value="bootstrap_idstore"/>
  <property name="username.attr" value="uid"/>
  <property name="groupname.attr" value="cn"/>
  <property name="ldap.url" value="ldap://hostname:port" />
  <extendedProperty>
   <name>user.search.bases</name>
   <values>
    <value>cn=users,dc=us,dc=oracle,dc=com</value>
   </values>
  </extendedProperty>
  <extendedProperty>
   <name>group.search.bases</name>
   <values>
    <value>cn=groups,dc=us,dc=oracle,dc=com</value>
   </values>
  </extendedProperty>
 </serviceInstance>
  .
  .
  .
 <serviceInstanceRef ref="idstore.oid"/>

11.7.1.2 Create a Wallet File for an LDAP Bootstrap User

You must create a wallet file to store the identity store bootstrap user's credentials. This wallet file is referenced from the OPSS configuration file and is used by Oracle Data Integrator to establish the connection to the identity store that is configured in the OPSS configuration file.

Note:

This wallet file is different from the password-protected wallet used for storing login credentials for Oracle Data Integrator Studio.

To create this wallet file, complete the following steps:

  1. Change to the ORACLE_HOME/odi/sdk/bin directory.

  2. Run the odi_credtool script.

    You are prompted to enter the following parameters:

    For the following parameter . . . . . . enter the following value 
    User name
    		The Distinguished Name (DN) of the bootstrap user account used to connect to the identity store with necessary privileges.

    For example, for Microsoft Active Directory, specify this user as follows:

    CN=Administrator,CN=Users,DC=ad,DC=vm,DC=mycompany,DC=com

    Password
    		The password for the bootstrap user account that is used to connect to the identity store.

After you enter the correct credentials for the bootstrap user account, the following message is displayed:

The credentials have been successfully added to the boostrap credential store.

11.7.1.3 Set External Authentication when Creating the Master Repository

To create the master repository and set it to use external authentication:

  1. Change to the ORACLE_HOME/odi/studio directory.

  2. Launch Oracle Data Integrator Studio by running the following command:

    Windows:

    odi.exe

    UNIX:

    ./odi.sh

  3. In Oracle Data Integrator Studio, select File > New, select Master Repository Creation Wizard, and click OK.

  4. In the repository selection screen of the Master Repository Creation Wizard, enter the connection parameters for the database that is to contain the master repository, and click Test Connection to ensure the parameters are correct. For details about configuring this database, see Installing and Configuring Oracle Data Integrator.

    When the connection test is successful, click OK.

  5. In the authentication screen of the Master Repository Creation Wizard, select Use External Authentication.

For information about how to select principals who have supervisor privileges in the master repository, see "Mapping Principals Defined in an Identity Store to Oracle Data Integrator Roles".

For information about how to update an existing master repository to use external authentication, see "Switching an Existing Master Repository to External Authentication Mode".

11.7.2 Switching an Existing Master Repository to External Authentication Mode

To switch the authentication mode from internal to external in an existing master repository, complete the following steps:

  1. Change to the ORACLE_HOME/odi/studio directory.

  2. Launch Oracle Data Integrator Studio by running the following command:

    Windows:

    odi.exe

    UNIX:

    ./odi.sh

  3. In Oracle Data Integrator Studio, select ODI > Switch Authentication Mode....

    The Login screen of the Switch Authentication Mode wizard is displayed, as shown in Figure 11-4.

    Figure 11-4 Login Screen of Switch Authentication Mode Dialog Box

    Description of Figure 11-4 follows
    Description of ''Figure 11-4 Login Screen of Switch Authentication Mode Dialog Box''

  4. Enter the login name of the master repository, the JDBC connection parameters, and the user name and password for the master repository database user, then click Next.

    The Credentials screen of the Switch Authentication Mode wizard is displayed, as shown in Figure 11-5.

    Figure 11-5 Credentials Screen of Switch Authentication Mode Wizard

    Description of Figure 11-5 follows
    Description of ''Figure 11-5 Credentials Screen of Switch Authentication Mode Wizard''

  5. Click the Add button, which is shown as the green plus symbol adjacent to the search field, to display the Enterprise Roles and Users Retrieval dialog box, shown in Figure 11-6.

    Figure 11-6 Enterprise Roles and Users Retrieval Dialog Box

    Description of Figure 11-6 follows
    Description of ''Figure 11-6 Enterprise Roles and Users Retrieval Dialog Box''

    You can use the Enterprise Roles and Users Retrieval dialog box to either:

    • Enter a filter expression to display the roles and users in the identity store that match the filter.

    • Search the identity store for a specific role or user name.

    You can expand the Enterprise Roles and Enterprise Users nodes to browse the available enterprise roles and users in the identity store.

  6. Select the user or role you wish to assign to the SUPERVISOR_ROLE role, then click Finish.

If the external authentication mode switch is successful, a dialog box similar to the one in Figure 11-7 is displayed:

Figure 11-7 Successful Switch to External Authentication Mode Message Box

Description of Figure 11-7 follows
Description of ''Figure 11-7 Successful Switch to External Authentication Mode Message Box''

11.7.3 Reactivating Users After Switching to External Authentication

If you have an existing set of Oracle Data Integrator users defined, you can re-enable them after switching to external authentication as explained in this section. To re-enable users, first reconnect to Studio as a user with supervisor privileges—for example, SUPERVISOR—using the password specified in the external identity store, and not the one stored in the internal Oracle Data Integrator repository. Then complete the following steps:

  1. In the Security Navigator, expand the Users navigation tree.

  2. From the list of users displayed, select the user that you want to re-enable.

  3. Right-click and select Open. The User editor appears, shown in Figure 11-8.

    Figure 11-8 Open USER Administrator Dialog Box

    Description of Figure 11-8 follows
    Description of ''Figure 11-8 Open USER Administrator Dialog Box''

    The Name field displays the user you selected in Step 2.

  4. Click Retrieve GUID. If the user name has a match in the identity store, this external user's GUID appear in the External GUID field.

  5. From the File main menu, select Save and disconnect.

  6. Reconnect as this user (for example, the user SUPERVISOR shown in Figure 11-8) using the password in the external identity store.

You should now be able to connect to Oracle Data Integrator Studio using the external authentication.

Note the following:

  • For troubleshooting LDAP server issues, it is very useful to use any LDAP client to browse the LDAP tree. You can download an LDAP client from the following URL:

    http://www.ldapbrowser.com/

  • For any LDAP directory other than Microsoft Active Directory, make sure that the property user.filter.object.classes is set correctly to the user's object class, which by default is set to USER if not specified.

  • If Oracle Data Integrator Console and Java EE agent are installed in your environment, and you have switched Oracle Data Integrator Studio to external authentication, you might be unable to log in to Oracle Data Integrator Console and the Java EE agent also might fail. If this occurs, you must also configure Oracle Data Integrator Console and Java EE agent for external authentication using the same external identity store. The procedure for doing this is documented in Note 1510434.1 at My Oracle Support, available at the following URL:

    https://support.oracle.com/epmos/faces/DocumentDisplay?id=1510434.1

11.7.4 Configuring Standalone or Standalone Colocated Agents for External Authentication

To configure the Standalone or Standalone Colocated agents for external authentication, complete the following steps:

  1. Copy the following files into the DOMAIN_HOME/config/fmwconfig directory, if they do not already exist there, where DOMAIN_HOME represents the root directory of your Oracle Data Integrator domain.

    • ORACLE_HOME/oracle_common/modules/oracle.jps_12.1.2/domain_config/jse/jps-config.xml

    • ORACLE_HOME/oracle_common/modules/oracle.jps_12.1.2/domain_config/jse/system-jazn-data.xml

    Note:

    For information about creating an Oracle Data Integrator domain, see Installing and Configuring Oracle Data Integrator.

  2. Change to the DOMAIN_HOME/config/fmwconfig directory.

  3. Rename jps-config.xml to jps-config-jse.xml.

  4. Open jps-config-jse.xml in an editor.

  5. Add a service instance for the identity store provider and include the following properties:

    • The service instance name. For example, for Oracle Internet Directory, name="idstore.oid".

    • The idstore.type property.

    • The bootstrap.security.principal.map property.

    • The bootstrap.security.principal.key property.

    For an example service instance configuration, see Example 11-1.

    For details about specifying these properties for your identity store, see "LDAP Identity Store Properties" in Securing Applications with Oracle Platform Security Services.

  6. In the default jps context, change the serviceInstanceRef name="idstore.xml" value to "idstore.<your-idstore-type>", as in the following example that sets the identity store type for Oracle Internet Directory:

     <serviceInstanceRef ref="idstore.oid"/>

  7. Comment out the keystore and audit service instance references in the default jps context element. For example:

    <jpsContext name="default"> 
 <serviceInstanceRef ref="credstore"/>
<!--  <serviceInstanceRef ref="keystore"/>  --> 
<serviceInstanceRef ref="policystore.xml"/> 
<!--  <serviceInstanceRef ref="audit"/>  -->

  8. Save your changes to jps-config-jse.xml and exit from your editor.

  9. Change to the DOMAIN_HOME/bin directory.

  10. Run the odi_credtool script.

    You are prompted to enter the following parameters:

    For the following parameter . . . . . . enter the following value 
    User name
    		This is the Distinguished Name (DN) of the bootstrap user account used to connect to the identity store with Administrator privileges.

    For example, for Microsoft Active Directory, specify this user as follows:

    CN=Administrator,CN=Users,DC=ad,DC=vm,DC=mycompany,DC=com

    Password
    		The password for the bootstrap user account that is used to connect to the identity store.

    After you enter the correct credentials for the bootstrap user account, the following message is displayed:

    The credentials have been successfully added to the boostrap credential store.

11.7.5 Mapping Principals Defined in an Identity Store to Oracle Data Integrator Roles

Oracle Data Integrator's enterprise role integration feature leverages the authorization model in Oracle Platform Security Services (OPSS) to allow you to map enterprise roles to Oracle Data Integrator roles. Enterprise users who belong to the mapped enterprise role can access Oracle Data Integrator by inheriting the privileges that are granted to the mapped Oracle Data Integrator role. Enterprise role integration simplifies both the management of users and also of privileges because you do not need to register users individually in Oracle Data Integrator to grant them access, and you do not need to manage privileges on a per user basis.

The following sections explain how enterprise role integration works and how you can use it to manage the privileges that are assigned to objects, instances, and profiles.

11.7.5.1 How Enterprise Role Integration Works

When external authentication is enabled, users are managed in an external identity store, such as Oracle Internet Directory or Microsoft Active Directory.

When using enterprise role integration:

  • Any enterprise principal in the identity store that can be mapped to an Oracle Data Integrator role is entitled to the privileges granted to that role. For example, if the enterprise role DESIGNERS is mapped to the Oracle Data Integrator role DESIGNERS_ROLE, any enterprise user who is a member of DESIGNERS in the identity store is given all the privileges granted to DESIGNERS_ROLE when authenticated into Oracle Data Integrator.

  • You can map multiple enterprise users and roles to an Oracle Data Integrator role, and you can also map an enterprise user or role to multiple Oracle Data Integrator roles. (Note that you cannot map an Oracle Data Integrator role to another Oracle Data Integrator role.).

  • When a user is authenticated into Oracle Data Integrator, privileges granted to that user are determined by a union of all the Oracle Data Integrator roles to which the user is mapped directly or indirectly through an enterprise role.

    If the external user is also registered directly in Oracle Data Integrator, as in previous releases, the overall set of privileges given to the user consists of a union of:

    • The Oracle Data Integrator roles to which the user is mapped

    • Any privileges granted directly to the user

  • Users do not need to be created and registered in Oracle Data Integrator in order to enable them to be granted access to Oracle Data Integrator.

  • Any existing privileges and profiles assigned to individual users, as described in "Users", remain in effect. This enables backward compatibility with previous releases of Oracle Data Integrator.

11.7.5.2 Defining and Managing Oracle Data Integrator Roles

At the time you create the master repository and configure it to use external authentication, the following occurs:

  1. The Oracle Data Integrator role SUPERVISOR_ROLE is automatically created. This is the main administrative role in Oracle Data Integrator.

  2. You are prompted to select one or more enterprise roles, or enterprise users, from the identity store to be mapped to this SUPERVISOR_ROLE. Note that Oracle Data Integrator can retrieve all available enterprise roles or enterprise users existing in the identity store that is configured in the jps-config-jse.xml file, as explained in "Set Up the OPSS Configuration File".

Once you can be authenticated into Oracle Data Integrator and mapped to the SUPERVISOR_ROLE role, you can use the Roles Editor, available from Studio, to map additional enterprise principals to this role. Consequently, any user mapped to this role can then use the Roles Editor to create additional Oracle Data Integrator roles, assign privileges and profiles to those roles, and create other principal mappings from the identity store.

The following sections explain how to map enterprise principals to the SUPERVISOR_ROLE role and how to use the Roles Editor to create, update, and remove Oracle Data Integrator roles:

Configuring Enterprise Roles for the Supervisor Role

When you select Use External Authentication when creating the master repository, as explained in "Set External Authentication when Creating the Master Repository", you need to configure enterprise roles. The initial enterprise role you configure is the principal (one or more) in the identity store to be mapped to the Oracle Data Integrator SUPERVISOR_ROLE.

To configure enterprise roles for the SUPERVISOR_ROLE in the master repository:

  1. Start the Master Repository Creation Wizard, as explained in "Set External Authentication when Creating the Master Repository".

  2. In the Master Repository Creation Wizard — Step 2 of 3 page, click the Add button retrieve the available enterprise roles and users from the external identity store, as shown in Figure 11-9:

    Figure 11-9 Authentication Screen of the Master Repository Creation Wizard

    Description of Figure 11-9 follows
    Description of ''Figure 11-9 Authentication Screen of the Master Repository Creation Wizard''

    When you click the Add button, the Enterprise Roles and Users Retrieval dialog box is displayed, shown in Figure 11-10, in which you can either:

    • Enter a filter expression to display the roles and users in the identity store that match the filter.

    • Search the identity store for a specific role or user name.

    You can expand the Enterprise Roles and Enterprise Users nodes to display the individual roles and users, respectively, that are defined in the identity store.

    Figure 11-10 Enterprise Roles and Users Retrieval Dialog Box

    Description of Figure 11-10 follows
    Description of ''Figure 11-10 Enterprise Roles and Users Retrieval Dialog Box''

  3. Select the enterprise user or role from the Enterprise Roles and Enterprise Users dialog box that you want to assign to the SUPERVISOR_ROLE role, and click OK.

  4. Finish the creation of the master repository, as explained in "Creating the Master Repository".

11.7.5.3 Using the Roles Editor

The following sections explain how to use the Roles Editor to manage enterprise role integration with Oracle Data Integrator:

11.7.5.3.1 Start the Roles Editor

You can use the Roles Editor to create, update, and delete Oracle Data Integrator roles.

To start the Roles Editor:

  1. In Oracle Data Integrator Studio, click Connect to Repository, if necessary, and enter the required credentials to connect to the repository you want to use.

  2. In Studio, choose the Security Navigator and select the Roles navigation tree.

  3. Start the Roles Editor in either of the following ways:

    • Click New Role in the toolbar of the Roles navigation tree. This enables you to create a new Oracle Data Integrator role.

    • From the list of roles that is displayed in the Roles navigation tree, right-click a role name and select Open. This enables you to update an existing role.

  4. Right-click and select Open.

The Roles Editor is shown in Figure 11-11.

11.7.5.3.2 Create a Role in Oracle Data Integrator

To create an Oracle Data Integrator role:

  1. Start the Roles Editor in Studio, if necessary.

  2. Choose the Security Navigator and select the Roles navigation tree.

  3. Click New Role in the toolbar of the Roles navigation tree.

  4. In the Name field, enter the name of the Oracle Data Integrator role you want to create.

  5. From the File main menu, select Save.

The new role name is displayed in the Roles navigation tree.

11.7.5.3.3 Map Enterprise Principals to Oracle Data Integrator Roles

To map enterprise principals to an Oracle Data Integrator role:

  1. If the Oracle Integrator Role you want to modify is not already open in the Roles Editor, right-click the role name in the Roles navigation tree and select Open.

  2. In the Add Principals to Role panel of the Roles Editor, click the Add button (plus sign) to display the Enterprise Roles and Users Retrieval dialog box.

    From this dialog box, you can either:

    • Enter a filter expression to display the roles and users in the identity store that match the filter.

    • Search the identity store for a specific role or user name.

  3. Do either or both of the following:

    • To select one or more enterprise roles to map to the Oracle Data Integrator role, expand the Enterprise Roles node and select those roles.

    • To select one or more enterprise users to map to the Oracle Data Integrator role, expand the Enterprise Users node and select those users.

  4. From the File main menu, select Save.

11.7.5.3.4 Assign Privileges or Profiles to Oracle Data Integrator Roles

Studio supports two ways to assign privileges or profiles to an Oracle Data Integrator role:

  • Using the Roles Editor

  • Clicking and dragging privilege, profiles, and instance objects onto the role name in the Roles navigation tree

Using the Roles Editor:

  1. If the Oracle Data Integrator role to which you want to assign privileges is not already open in the Roles Editor, right-click the role name in the Roles navigation tree and select Open.

  2. If you want to assign supervisor privileges to the role, select Supervisor in the Supervisor Access Privileges section of the Roles Editor.

  3. In the Role Profiles panel of the Roles Editor, select each profile you want to assign to the role.

    Note:

    If you have assigned supervisor privileges to the role, this step is unnecessary.

  4. From the File main menu, select Save.

Clicking and Dragging:

Privileges on any of the following items can be added to a role by clicking it and dragging it onto a role name in the Roles navigation tree:

  • An object node, or an entry within an object node, listed in the Objects navigation tree.

  • A profile node, or an entry with a profile node, listed in the Profiles navigation tree.

  • An object instance listed in an navigation tree in the Designer, Operator, or Topology Navigator. Select the instance and drag it onto the desired role name the same way as you grant an object instance privilege to an Oracle Data Integrator user (see "Granting an Authorization by Object Instance").

After updating the privileges for an Oracle Data Integrator role, select Save from the File main menu.

11.7.5.3.5 Delete Oracle Data Integrator Roles

To delete an Oracle Data Integrator role:

  1. In the Roles navigation tree of the Security Navigator, select the role you want to delete.

  2. Right-click and select Delete.

  3. When prompted to confirm your choice, click Yes.

11.8 Configuring OWSM Policies for JRF-ODI Asynchronous Web Services with Callback

The invokeStartScenWithCallback and invokeRestartSessWithCallback web service operations are implemented on a JRF platform and can be secured through internal and external authentication methods. The external authentication methods include the use of Oracle Platform Security Services (OPSS) and by attaching Oracle Web Services Manager (OWSM) policies. OWSM provides a policy framework to manage and secure web services. For information on internal and external authentication, see Section 11.7, "Configuring External Authentication".

Note:

When a JRF-based web service receives a request, it forwards the same to the agent. The agent requires a single key storing the login and password of the user to connect to the repository. The Oracle Data Integrator user names and passwords required by the agent to connect to the repositories are not stored in ODI Configuration files but are stored in the Application Server Credential store. Therefore, it is mandatory that the credential store entries are added before using internal or external authentication methods. For information on adding credential store entries, see step 2 in the following procedure.

To attach an OWSM policy to an asynchronous web service using Fusion Middleware Control, see the following sections in the Oracle Fusion Middleware Securing Web Services and Managing Policies with Oracle Web Services Manager:

  1. Attaching Policies to Asynchronous Web Service Callback Clients

  2. Setting up the environment for OWSM policies. To set up the environment for using OWSM policies, follow the procedures in the "Generating Private Keys and Creating the Java Keystore", "Configuring the Oracle WSM Keystore Using Fusion Middleware Control", and "Adding Keys and User Credentials to the Credential Store Using Fusion Middleware Control" sections.

Note:

OWSM policies can also be attached during run-time using WebLogic Scripting Tool (WLST) commands. For information, see Oracle Fusion Middleware Securing Web Services and Managing Policies with Oracle Web Services Manager.

11.9 Enforcing Password Policies

The password policies consist of a set of rules applied to user passwords when using internal authentication. This set of rules is applied when the password is defined or modified by the user.

To define the password policy:

  1. From the Security Navigator toolbar menu, select Password Policy...

    The Password Policy dialog appears. This dialog displays a list of rules.

  2. If you want your password to expire automatically, check Password are valid for (days), and set a number of days after which passwords need to be modified.

  3. Click Add a Policy. The Policy Definition dialog appears. A policy is a set of conditions that are checked on passwords.

  4. Set a Name and a Description for this new policy.

  5. In the Rules section, add several conditions on the password text or length. You can define, for example, a minimum length for the passwords.

  6. From the Condition to match list, select whether you want the password to meet at least one or all conditions.

  7. Click OK.

  8. Add as many policies as necessary, and select Active for those of the rules that you want to keep active. Only passwords that meet all the policies are considered as valid for the current policy.

  9. Click OK to update the password policy.

11.10 Configuring Standalone or Standalone Colocated Agents to Use a Secure Transport

Hyper-Text Transfer Protocol Secure (HTTPS) is a secure version of Hyper Text Transfer Protocol (HTTP) and is used to provide an additional level of security. This section describes how to set up Hypertext Transfer Protocol Secure (HTTPS) support in Oracle Data Integrator and contains the following topics:

11.10.1 Creating an SSL Certificate

An SSL certificate helps you to encrypt the data being transmitted over the internet.

To create an SSL certificate:

  1. Remove the default SSL certificate demoidentity from the keystore, using the following command:

    keytool –delete –alias demoidentity -keystore <domain>/security/DemoIdentity.jks
Enter the keyStore password, DemoIdentityKeyStorePassPhrase

    Note:

    The keyStore, key, and trustStore passwords are DemoIdentityKeyStorePassPhrase, DemoIdentityPassPhrase, and DemoTrustKeyStorePassPhrase respectively. However, the keyStore and key passwords must be DemoIdentityKeyStorePassPhrase.

  2. Substitute the alias name with demoidentity for a default certificate or agent for a user defined certificate and generate the certificate.

    Default Certificate <aliasName>: demoidentity
User defined Certificate <aliasName>: agent

  3. Generate a key for the agent using the Keytool utility. The agent uses its fully qualified hostname to fetch the key from the keystore.

    keytool -genkey -alias <aliasName> -keyalg RSA -keystore <domain>/security/DemoIdentity.jks
Enter keystore password:  DemoIdentityKeyStorePassPhrase
What is your first and last name?
  [Unknown]:agenthostname.us.oracle.com
What is the name of your organizational unit?
  [Unknown]:  ODI
What is the name of your organization?
  [Unknown]:  Oracle
What is the name of your City or Locality?
  [Unknown]:  San Jose 
What is the name of your State or Province?
  [Unknown]:  CA
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=agent.us.oracle.com, OU=ODI, O=Oracle, L=San Jose, ST=CA, C=US correct?
  [no]:  yes
Enter key password for <agent>
        (RETURN if same as keystore password) : <return>

    A key is created with an alias name <aliasName>.

  4. Export the key using the following keytool command syntax:

    keytool -export -alias <aliasName> -keystore <domain>/security/DemoIdentity.jks
-rfc -file public.cert
Enter keystore password:  DemoIdentityKeyStorePassPhrase
   Certificate stored in file <public.cert>

  5. Import the key into a client truststore using the following keytool command syntax:

    keytool -import -alias <aliasName> -file public.cert -storetype JKS -keystore      
   <MW_HOME>/Oracle_Home/wlserver/server/lib/DemoTrust.jks
Enter keystore password: DemoTrustKeyStorePassPhrase
 
 
...
…
Trust this certificate? [no]:  yes

    The self-signed certificate is created and added to the client truststore.

11.10.2 Configuring SSL for Standalone Agents or Standalone Colocated Agents

To configure SSL for Standalone or Standalone Colocated agents, the agent must be created with the HTTPS protocol.

To create a Standalone or Standalone Colocated agent with HTTPS protocol:

  1. Create the Oracle Data Integrator domain and configure the agent template:

    • If using the ODI Standalone install type, create an ODI domain and configure the Oracle Data Integrator - Standalone Agent template to create an ODI Instance configuration.

    • If using the ODI Enterprise install type, create an ODI domain and configure the Oracle Data Integrator - Standalone Colocated Agent template to create an ODI Instance configuration.

    See Installing and Configuring Oracle Data Integrator for more information.

  2. Create an agent in the master repository with the HTTPS protocol. If the agent already exists, modify the agent's protocol to https in the master repository. See "Creating a Physical Agent" for more information.

  3. Edit the instance.properties file at the following location and set PROTOCOL to https:

    <domain>/config/fmwconfig/components/ODI/<agentName>

    Set the SSL password parameters in an encrypted format, as shown below:

    ODI_KEYSTORE_ENCODED_PASS=<Encrypted password>
ODI_KEY_ENCODED_PASS=<Encrypted password>
ODI_TRUST_STORE_ENCODED_PASS=<Encrypted password>

    For information on how to encrypt a password, see "Encoding a Password".

  4. Configure other Keystore Location and Truststore SSL parameters' location and type in the instance.sh file, as shown below:

    ODI_INSTANCE_JAVA_OPTIONS="
-Djavax.net.ssl.keyStore=<domain>/security/DemoIdentity.jks
-Djavax.net.ssl.keyStoreType=JKS -Djavax.net.ssl.trustStore= <MW_HOME>/Oracle_Home/wlserver/server/lib/DemoTrust.jks
-Djavax.net.ssl.trustStoreType=JKS $ODI_ADDITIONAL_JAVA_OPTIONS"

  5. Enter the following command to start the agent:

    <domain>/bin/agent.sh -INSTANCE=agentName

11.10.3 Configuring ODI Studio to Connect with an SSL-enabled Agent

SSL parameter values are populated in ODI Studio. This is the default and only credential set that is used by ODI Studio when Studio Internal Agent connects to an SSL server.

To connect to an SSL-enabled agent from Oracle Data Integrator Studio:

  1. Go to Tools > Preferences > Credentials.

  2. Edit the Client Trusted Certificate Keystore and Client Trusted Keystore Password fields.

To point to another trustStore, edit the fields mentioned above. For more information, see "Using SSL With HTTP Analyzer" in Developing Integration Projects with Oracle Data Integrator.

11.10.4 Configuring Oracle Data Integrator Client Tools to Communicate with an SSL-enabled Agent

ODI client tools do not have access to the master repository, and therefore cannot decrypt the SSL passwords stored in the instance.properties file. To run Oracle Data Integrator client tools that connect to an SSL-enabled agent, set a cleartext password for the keyStorePassword system property. The keyStorePassword system property must be appended to the ODI_INSTANCE_JAVA_OPTIONS variable in the following location:

<domain>/config/fmwconfig/components/ODI/OracleDIAgent1/bin/instance.sh

Append the parameter using the following command:

ODI_INSTANCE_JAVA_OPTIONS="-Djavax.net.ssl.keyStorePassword=<clear_text-password>
-Djavax.net.ssl.keyStore=<domain>/security/DemoIdentity.jks   -Djavax.net.ssl.keyStoreType=JKS
-Djavax.net.ssl.trustStore=<Domain>/oracle/work/middleware/wlserver/server/lib/DemoTrust.jks
-Djavax.net.ssl.trustStoreType=JKS $ODI_ADDITIONAL_JAVA_OPTIONS"

Sample ODI client tools that require the keyStorePassword system property are listed below:

./agentstop.sh -NAME= OracleDIAgent1
./startcmd.sh -INSTANCE=OracleDIAgent1 OdiPingAgent -AGENT_NAME=OracleDIAgent1
./startcmd.sh -INSTANCE=OracleDIAgent1 OdiKillAgent -NAME=OracleDIAgent1 -IMMEDIATE=YES -MAX_WAIT=0
./startscen.sh -INSTANCE=OracleDIAgent1 OdiStartScen -SCEN_NAME=SAM -SCEN_VERSION=001 -CONTEXT=GLOBAL -SYNC_MODE=1
./startscen.sh -INSTANCE=OracleDIAgent1 SAM 001 GLOBAL -AGENT_URL=https://<hostname>:<port>/oraclediagent

For information on ODI client tools, see Oracle Data Integrator Tools Reference.

11.10.5 Encoding a Password

To encode a cleartext password:

  1. Execute the following script with agentName:

    <domain>/bin/encode.sh -INSTANCE=<agentName>

  2. Enter the password in the prompt, as shown below:

    Enter password to encode: <password>

    The encrypted password is displayed.

11.10.6 Disabling Weak Cipher Suites for an SSL-enabled Standalone Agent or Standalone Colocated Agent

This section describes how to disable weak cipher suites for an SSL-enabled Standalone agent or Standalone Colocated agent. To view the cipher suites in the environment, start the Standalone or Standalone Colocated agent and a list of available suites is displayed.

To disable weak cipher suites:

  1. Set the cipher suites that must be excluded in the instance.properties file. For example:

    ODI_EXCLUDED_CIPHERS=TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5,TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA

  2. Invoke the agent in SSL mode, using the following command:

    ./agent.sh-NAME=OracleDIAgent -PORT=20910

    A list of available cipher suites is displayed and a list of cipher suites that can be used by the SSL-enabled Standalone agent or Standalone Colocated agent is also displayed.

11.11 Configuring Oracle Data Integrator with a Web Proxy Server

This section describes how to reach external http connections if your network setup has a web proxy configuration.

To configure Oracle Data Integrator with web proxy setup from Oracle Data Integrator Studio, go to Tools > Preferences and set up the proxy in the Web Browser and Proxy page.

You can set the web proxy settings from a command line if you have installed the Oracle Data Integrator Standalone or the Standalone Colocated agent. For the Java EE agent, the web proxy settings must be set in the setDomainEnv.sh file in the WebLogic Server. For information on the standard system properties used to alter the mechanisms and behavior of the various classes of the java.net package, see Networking Properties.

Note:

The standard Java proxy password property, http.proxyPassword only accepts a cleartext password, so Oracle Data Integrator has introduced an additional property, oracle.odi.http.encoded.proxyPassword to set an encrypted proxy server password instead of a cleartext password, if required.

The encrypted proxy server password can be set in the following manner:

  • Standalone or Standalone Colocated agent: Append the oracle.odi.http.encoded.proxyPassword property using the -D option of the Java command to the ODI_INSTANCE_JAVA_OPTIONS variable in the instance.sh file, which is available in the following location:

    <DOMAIN_HOME>/config/fmwconfig/components/ODI/<INSTANCE_NAME>/bin

  • Java EE agent: Edit the setDomainEnv.sh file in the WebLogic Server. The setDomainEnv.sh file is available in the following location:

    <DOMAIN_HOME>/bin

11.12 Configuring Single Sign-On (SSO) for Oracle Data Integrator Console and Enterprise Manager using Oracle Access Manager 11g

This section describes how to optionally configure Single Sign-On for Oracle Data Integrator Console and Enterprise Manager with Oracle Access Manager (OAM) 11g.

To configure Single Sign-On for Oracle Data Integrator Console and Enterprise Manager:

  1. Log in to the OAM Console using your browser:

    http://host:port/oamconsole

  2. Go to Policy Configuration > Application Domains.

    The Policy Manager pane displays.

  3. Locate the application domain you created using the name while registering the WebGate agent.

  4. Expand the Resources node and click Create.

    The Resource page displays.

  5. Add the resources that must be secured. For each resource:

    1. Select http as the Resource Type.

    2. Select the Host Identifier created while registering the WebGate agent.

    3. Enter the Resource URL as follows:

      Resource URL ODI Component
      /odiconsole* ODI Console
      /odiconsole/.../* ODI Console
      /em* Enterprise Manager
      /em/.../* Enterprise Manager

    4. Enter a Description for the resource and click Apply.

  6. Go to Authentication Policies > Protected Resource Policy and add the newly created resources.

  7. Do the same under Authorization Policies > Protected Resource Policy.

  8. In your WebTier, modify the mod_wl_ohs.conf file (in WT_ORACLE_HOME/instances/<your_instance>/config/OHS/ohs1/) to include the ODI Console and Enterprise Manager, by adding two additional Location entries using the actual host ID for the WebCenter Portal Administration Server for WebLogicHost.

    <Location /odiconsole*>
      SetHandler weblogic-handler
      WebLogicHost webcenter.example.com
      WebLogicPort 7001
</Location>
<Location /em*>
      SetHandler weblogic-handler
      WebLogicHost webcenter.example.com
      WebLogicPort 7001
</Location>

  9. Restart the Oracle HTTP Server for your changes to take effect.

    You should now be able to access the ODI Console and Enterprise Manager with the following links:

    http://host:OHS port/odiconsole

    http://host:OHS port/em

    and be prompted with the OAM SSO login form.

    For more information about installing and configuring OAM 11g for ODI, see "Integrating ODI with Oracle Access Manager 11g" in the Installing and Configuring Oracle Data Integrator.

11.13 Best Security Practices for Oracle Data Integrator

Table 11-3 provides a list of best practices for securing the Oracle Data Integrator environment.

Table 11-3 Best Security Practices in an Oracle Data Integrator Environment

Security Action Description

Secure Oracle Data Integrator Studio

To provide optimal security for Oracle Data Integrator Studio, configure the following:

  • Password-protected wallet file — Create a password-protected wallet for storing the Oracle Data Integrator Studio login credentials. For more information, see "Using a Password-Protected Wallet for Storing Login Credentials".

  • External authentication — Use external authentication mode instead of the default internal authentication mode. You can select external authentication mode as one of the options when creating the master repository. For more information, see "Configuring External Authentication".

  • External password storage — For data server connection passwords, Oracle Data Integrator provides two options: internal password storage, and external password storage. Oracle recommends external password storage for secure production environments. You can choose the external password storage option at the time you create the master repository. For more information, see "Setting Up External Password Storage".

Configure a Standalone agent or Standalone Colocated agent to use a secure transport

For information on how to configure a Standalone agent or Standalone Colocated agent to use a secure transport, see "Configuring Standalone or Standalone Colocated Agents to Use a Secure Transport".

Configure the Oracle Data Integrator Console to use a secure transport

Oracle recommends the use of a secure transport for access to the Oracle Data Integrator Console. For example, you can configure the Oracle Data Integrator Console to use port 7002, which is the default SSL listen port. Users would then access the Oracle Data Integrator Console using the following URL:

https://<host>:7002/odiconsole

You can use the WebLogic Server Administration Console to secure the transport used for the Oracle Data Integrator Console. For information, see "Configuring SSL" in Administering Security for Oracle WebLogic Server 12c (12.2.1).