4 Other Security Topics

This chapter describes additional BI Publisher security topics including SSL configuration, proxy settings, enabling a local superuser, and enabling a guest user.

It covers the following topics:

• Enabling a Local Superuser

• Enabling a Guest User

• Configuring BI Publisher for Secure Socket Layer (SSL) Communication

• Enabling Secure Cookies

• Configuring Proxy Settings

• Restricting Embedding of BI Publisher in iframes

Enabling a Local Superuser

BI Publisher enables you to define an administration Superuser.

Using the Superuser credentials you can directly access the BI Publisher administrative functions without logging in through the defined security model.

Set up this Superuser to ensure access to all administrative functions in case of failures with the configured security model. It is highly recommended that you set up a Superuser. Catalog operations are not available to a Superuser, if BI Publisher is configured to use Oracle Business Intelligence Enterprise Edition catalog,

To enable a local superuser:

1. Click Administration.
2. Under Security Center, click Security Configuration.
3. Under Local Superuser, select the box and enter the credentials for the Superuser, as shown below.
   
   

   
   Description of the illustration GUID-A5242435-3E6F-49C6-812C-0A468BC59E9A-default.gif

   
   
4. Restart the BI Publisher application.

Enabling a Guest User

BI Publisher allows you configure public access to specific reports by defining a "Guest" folder. Any user can access the reports in this folder without entering credentials.

Note:

Guest access is not supported when BI Publisher uses a shared catalog or is installed with Oracle Business Intelligence Enterprise Edition.

Guest access is not supported with Single Sign-On.

All objects that are required to view a report must be present in the Guest folder because the Guest folder is the only folder the guest user has any access rights to. Therefore the report and the data model must be present in the Guest folder and Sub Templates and Style Templates, if applicable. The guest user must have read access only.

The Guest user must also be granted access to the report data source.

To enable guest access:

1. Under Shared Folders, create the folder to which you want to grant public access.
2. Click Administration.
3. Under Security Center, select Security Configuration.
4. Under Guest Access, select Allow Guest Access.
5. Enter the name of the folder that you created for public access, as shown below.
   
   

   
   Description of the illustration GUID-C5453B68-000B-4695-8D46-21D5BD178345-default.gif

   
   
6. Restart the BI Publisher application.
7. Add the objects to the Guest folder that the guest users can access: folders, reports, data models, Sub Templates and Style Templates.

   Note:

   The report must reference the data model that is stored in the guest folder. Therefore, if you copy a report with its data model from another location, then ensure that you open the report and reselect the data model so that the report references the data model inside the guest folder.

   Similarly, any references to Sub Templates or Style Templates must also be updated.

8. Grant access to the data sources used by data models in your Guest folder. See Setting Up Data Sources for information on granting Guest access to a data source.

Users who access BI Publisher see the Guest button on the log on page. Users can click this button and view the reports in your chosen guest folder without presenting credentials.

Configuring BI Publisher for Secure Socket Layer (SSL) Communication

It is strongly recommended that you enable Secure Socket Layer (HTTPS) on the middle tier hosting the Web services because the trusted username/password that is passed can be intercepted.

This also pertains to Web services that are used for communication between BI Publisher and Oracle BI Presentation Services.

Tasks for enabling SSL with BI Publisher:

• Importing Certificates for Web Services Protected by SSL

• Adding the Virtualize Property to the Identity Store Configuration

• Updating the JDBC Connection String to the Oracle BI EE Data Source

• Updating the JMS Configuration

• Configuring the Delivery Manager

See Enabling End-to-End SSL in the Security Guide for Oracle Business Intelligence Enterprise Edition.

Importing Certificates for Web Services Protected by SSL

If you make calls to Web services that are protected through Secure Sockets Layer (SSL), then you must export the certificate from the Web server hosting the Web service and import it into the Java keystore on the computer that is running BI Publisher.

To import certificates for Web services:

1. Navigate to the HTTPS site where the WSDL resides.
2. Download the certificate by following the prompts; the prompts that you see vary depending on the browser that you are using.
3. Install the Certificate into your keystore using the Java keytool, as follows:

   keytool -import -file <certfile> -alias <certalias> -keystore <keystore file>
   

4. Restart the application server.

These steps should not be required if the server certificate is linked to some certificate authority (such as Verisign). But if the Web service server is using a self-generated certificate (for example, in a testing environment), then these steps are required.

Adding the Virtualize Property to the Identity Store Configuration

You must add the property "virtualize" to the Identity Store Configuration in Fusion Middleware Control to enable SSL for BI Publisher.

To add the virtualize property:

1. Log in to Fusion Middleware Control 12c:

   https://<Host>/<SecureAdminPort>/em

2. Select WebLogic Domain, Security, and then Security Provider Configuration.

3. Expand the Security Store Provider segment.

4. Expand the Identity Store Provider segment.

5. Click Configure.

   1. Click Add (+) to add a new property.

   2. In the Add New Property dialog, enter

      Property Name — virtualize

      Value — true

      
      

      
      Description of the illustration GUID-225DE7FF-1D07-45D4-8412-865AD81A6944-default.jpg

      
      

6. On the Identity Store Provide page, click OK.

   
   

   
   Description of the illustration GUID-8EBED04A-A0FC-4F1B-B95D-C57E36F6405C-default.jpg

   
   

7. Confirm that the property is added to the jps-config.xml file:

   1. Open the jps-config.xml file located in

      <DomainHome>/config/fmwconfig/jps-config.xml

   2. Ensure that the file contains the line:

      <property name="virtualize" value="true"/>

Updating the JDBC Connection String to the Oracle BI EE Data Source

For BI Publisher to connect to Oracle BI EE as a data source when SSL is enabled, you must update the default connection string.

Follow the guidelines detailed in Setting Up a JDBC Connection to the Oracle BI Server.

Updating the JMS Configuration

You update the Scheduler JMS configuration to use the SSL URL.

To update the JMS configuration:

1. On the BI Publisher Administration page, under System Maintenance, click Scheduler Configuration.

2. Update the WebLogic JNDI URL to use SSL. For example,

   
   

   
   Description of the illustration GUID-F3C6791F-3816-43B0-AD94-61CF57139B93-default.jpg

   
   
3. Click Apply.

4. Select the Scheduler Diagnostics tab.

5. Verify that the connection passed diagnostics.

Configuring the Delivery Manager

If you want to use the default certificates built-in with BI Publisher, then no further configuration is required.

SSL works with the default certificate if the server uses the certificate signed by a trusted certificate authority such as Verisign.

If the user uses the SSL with a self-signed certificate, then the certificate information must be entered in the Delivery Configuration page, as described in Configuring Delivery Options. A self-signed certificate means that the certificate is signed by a non-trusted certificate authority (usually the user).

Enabling Secure Cookies

The cookie-secure flag tells the Web browser to only send the cookie back over an HTTPS connection.

This ensures that the cookie is transmitted only on a secure channel. HTTPS must be enabled for the URL exposed by the application.

To enable the cookie-secure flag, you must update the weblogic.xml within the xmlpserver.war file (within the xmlpserver.ear) as follows:

1. Locate the xmlpserver.ear file under ORACLE_HOME/bifoundation/jee/

2. Unpack the xmlpserver.ear file.

3. Unpack the xmlpserver.war file.

4. Back up the WEB-INF/weblogic.xml file.

5. Open the WEB-INF/weblogic.xmlfile.

6. Add the following attributes to the <wls:session-descriptor>:

      <wls:cookie-secure>true</wls:cookie-secure>
      <wls:url-rewriting-enabled>false</wls:url-rewriting-enabled>
   

   Example:

   <?xml version = '1.0' encoding = 'US-ASCII'?>
   <wls:weblogic-web-app
   xmlns:wls="http://xmlns.oracle.com/weblogic/weblogic-web-app"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
   http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd
   http://xmlns.oracle.com/weblogic/weblogic-web-app
   http://xmlns.oracle.com/weblogic/weblogic-web-app/1.2/weblogic-web-app.xsd">
     <wls:session-descriptor>
      <wls:cookie-path>/xmlpserver</wls:cookie-path>
      <wls:cookie-secure>true</wls:cookie-secure>
      <wls:url-rewriting-enabled>false</wls:url-rewriting-enabled>
     </wls:session-descriptor>
     <wls:context-root>xmlpserver</wls:context-root>
      <wls:library-ref>
   ... 
   

7. Repack the xmlpserver.war file.

8. Repack the xmlpserver.ear file.

9. Go to your WebLogic Server console and update the bipublisher deployment.

Configuring Proxy Settings

To use external Web Services or HTTP data sources when the BI Publisher server is configured behind a firewall or requires a proxy to access the internet, you must configure Oracle WebLogic Server to allow the Web service requests and to be aware of the proxy.

When configuring the proxy setting, you must also configure WebLogic Server to be aware of any hosts that BI Publisher must connect to directly (not through the proxy) for example, the Oracle BI Enterprise Edition host. Define the proxy host and the non-proxy hosts to WebLogic Server by setting the following parameters:

• -Dhttp.proxyHost - specifies the proxy host. For example:

  -Dhttp.proxyHost=www-proxy.example.com

• -Dhttp.proxyPort - specifies the proxy host port. For example:

  -Dhttp.proxyPort=80

• -Dhttp.nonProxyHosts - specifies the hosts to connect to directly, not through the proxy. Specify the list of hosts, each separated by a "|" character; a wildcard character (*) can be used for matching. For example:

  -Dhttp.nonProxyHosts="localhost|*.example1.com|*.example2.com

To set these proxy parameters and the Web service configuration for your WebLogic Server add the following to the WebLogic setDomainEnv script as follows:

1. Open the setDomainEnv script (.sh or .bat) in the MW_HOME/user_projects/domains/DOMAIN_NAME/bin/directory.
2. Enter the following parameters:

   EXTRA_JAVA_PROPERTIES="-Dhttp.proxyHost=www-proxy.example.com -Dhttp.proxyPort=80 -Dhttp.nonProxyHosts=localhost|*.mycompany.com|*.mycorporation.com|*.otherhost.com ${EXTRA_JAVA_PROPERTIES}"
   export EXTRA_JAVA_PROPERTIES
    
    EXTRA_JAVA_PROPERTIES="-Djavax.xml.soap.MessageFactory=oracle.j2ee.ws.saaj.soap.MessageFactoryImpl 
   -Djavax.xml.soap.SOAPFactory=oracle.j2ee.ws.saaj.SOAPFactoryImpl -Djavax.xml.soap.SOAPConnectionFactory=oracle.j2ee.ws.saaj.client.p2p.HttpSOAPConnectionFactory  ${EXTRA_JAVA_PROPERTIES}"
   export EXTRA_JAVA_PROPERTIES
   

   where

   www-proxy.example.com is an example proxy host

   80 is the example proxy port

   localhost|*.mycompany.com|*.mycorporation.com|*.otherhost.com are example non-proxy hosts

Restricting Embedding of BI Publisher in iframes

You can prevent embedding of BI Publisher in iframes.

Configuring Embedding of BI Publisher

By default, users can embed BI Publisher in an iframe only if the iframe and BI Publisher are in the same domain.

If you want to allow embedding of BI Publisher in an iframe belonging to another domain or you want to completely restrict embedding of BI Publisher in an iframe, provide appropriate values for the X_FRAME_OPTIONS and FRAME_ANCESTORS properties in the xmlp-server-config.xml file.

Note:

If you set X_FRAME_OPTIONS to Deny and FRAME_ANCESTORS to none, you can’t access the user interface of BI Publisher from other products that can embed BI Publisher, including Oracle BI Enterprise Edition. If you specify the values for both X_FRAME_OPTIONS and FRAME_ANCESTORS, the value used depends on the browser. Make sure you provide similar values to X_FRAME_OPTIONS and FRAME_ANCESTORS to ensure consistent behavior across browsers.

X_FRAME_OPTIONS Values

Value	Specifies
False	Do not set the header option.
Deny	Do not allow users to embed BI Publisher in iframes.
SameOrigin	Allow users to embed BI Publisher in iframes of the same domain. This is the default.
Allow-From url	Allow users to embed BI Publisher only from the domain specified in the url parameter.

See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options.

FRAME_ANCESTORS Values

Value	Specifies
False	Do not set the header option.
none	Do not allow users to embed BI Publisher in iframes.
self	Allow users to embed BI Publisher in iframes of the same domain. This is the default.
url	Allow users to embed BI Publisher only from the domain specified in the url parameter. The URL can be repeated and can be specified in more than one format.

See https://www.w3.org/TR/CSP2/#directive-frame-ancestors.