4 Manage Service Access and Security
By default, Oracle Analytics Cloud - Classic services are accessible only through HTTP, secure protocols like SSL and SSH, and only using specific ports. You can customize the default security configuration to support different access rules and security policies.
Topics:
Manage SSH Access
To make things easy, you view and manage SSH keys for all the services in your Oracle Analytics Cloud - Classic identity domain from the same page.
If you lose the SSH private key used to access a service lost or it gets corrupted, you can add a new public key for that service. Or maybe you need to add a new public key to comply with your organization’s new security policies or regulations.
Control Access to Service Components
You use access rules to control network access to Oracle Analytics Cloud - Classic.
Manage Access Rules
There are different types of access rules: user, default, and system. As administrator, you can enable and disable user and default access rules as required. You’re allowed to delete only user access rules.
Assign Users to Application Roles with Oracle Identity Cloud Service
As administrator, you can assign users certain permissions in Oracle Analytics Cloud through Oracle Identity Cloud Service.
About Application Role Assignment with Oracle Identity Cloud Service
When you set up an Oracle Analytics Cloud instance, an application dedicated to that instance is automatically created in Oracle Identity Cloud Service.
If you want to, you can assign user permissions through this application.
Note:
You don’t have to use Oracle Identity Cloud Service. You might prefer to assign user permissions to application roles through the Console. See Configure What Users Can See and Do Using the Console.The Oracle Identity Cloud Service application for your Oracle Analytics Cloud instance includes several predefined application roles (ServiceAdministrator, ServiceUser, ServiceViewer) that map to a set of predefined application roles in Oracle Analytics Cloud.
Description of the illustration app-roles.jpg
To understand more about the predefined Oracle Analytics Cloud application roles, see About Application Roles.
Replace the Self-Signed Certificate for Secure HTTP Access
This topic does not apply to Oracle Analytics Cloud services using Oracle Identity Cloud Service with Oracle Cloud Infrastructure Load Balancing Classic.
When you create a service with Oracle Analytics Cloud - Classic and you choose to use WebLogic embedded LDAP server for identity management (instead of Oracle Identity Cloud Service with a Load Balancer), a self-signed certificate is generated. This certificate is intended to be temporary, so you must replace it with a certificate and key signed by Certificate Authority (CA) that HTTP access from browsers are configured to trust; for example, a commercial CA built into the browser by the browser vendor. The temporary certificate expires one year after service creation.
For production environments, use a CA-issued SSL certificate. For development environments, you can use either a CA-issued or self-signed certificate.
- Access the SSH client, using a tool such as PUTTY.
- Enter the host using your private key.
- For BI and Essbase services, use the script
proxy_register_ssl_private_key
. See Register SSL Private Keys with the HTTP Proxy for a Nonmetered Service (BI Service Script).
Redirect HTTP Traffic to HTTPS
By default, both HTTP and HTTPS access to the Oracle
Analytics Cloud URL is enabled. For BI services, you can redirect HTTP traffic to HTTPS using the script proxy_redirect_http_to_https
.
Connect with EssNet over HTTP
You can connect with EssNet from any software using Essbase Runtime Client (RTC) over HTTP protocol without opening ports or performing extensive configuration.
To connect with Agent using Discovery URL, point the server address to the
specific endpoint as follows: https://host/essbase/agent
. This
RTC endpoint is a "discovery URL", which automatically selects the connection type and
routes clients, whether connecting from inside or outside of the firewall.
When you use RTC, use cURL to connect with HTTP endpoints.
When you use SSL encrypted communication, you must enable the Essbase libcurl library to set up a secure channel. Specify the location of the certificate authority (CA) certificate, or use the default provider. Choose one of the following options.
API_CAINFO=CA certificate file path
or
API_CAPATH=directory path containing CA certificates
You can download a CA certificate file. One sample source is: https://curl.haxx.se/docs/caextract.html
.
If you’re using a self-signed certificate, you must add it to the CA certificate file.
Manage Credentials
From time to time you might need to update credentials for services and databases used by Oracle Analytics Cloud - Classic.
Update the Database Password for an Essbase Service
You set the database administrator credentials when you set up your Essbase service.
Update the Database Password for a BI Service
You select a cloud database and set the database administrator credentials when you set up Enterprise Business Intelligence and Data Visualization services. If the database administrator password for this Oracle Database Classic
Cloud Service changes or expires, you can use the reset_schema_password
script to update the password that your BI service uses to access its schemas.
Update WebLogic Administrator Passwords for a BI Service
If you have a traditional metered or nonmetered subscription to Oracle Analytics Cloud - Classic, you use WebLogic Embedded LDAP Server for identity management.
Update Cloud Storage Passwords
Oracle Analytics Cloud - Classic uses containers in Oracle Cloud Infrastructure Object Storage Classic to store analytics datasets and backups.
Sometimes, you might need to update the credentials Oracle Analytics Cloud - Classic uses to access Oracle Cloud Infrastructure Object Storage Classic. For example, when you try to back up or restore your Oracle Analytics Cloud - Classic service and you receive an access denied error message because the storage credentials are out of sync.
To update the password required to access the storage container:
- In Oracle Cloud Infrastructure Console, navigate to Analytics Classic.
- Click the name of the service that you need to update.
- Click Manage this Instance menu icon, and select Instance Credentials.
- Enter the name of the user with read/write access to Oracle Cloud Infrastructure Object Storage Classic that you specified when you created this service.
- Enter the updated password for this user.
- Click Update.
- Restart your service.
Deploy Oracle Analytics Cloud - Classic on an IP Network
You can deploy Oracle Analytics Cloud - Classic and its associated Oracle Database Classic Cloud Service on an IP network. If you use Oracle Identity Cloud Service with Oracle Analytics Cloud - Classic, you perform all the tasks in this topic. If you use the embedded LDAP server with Oracle Analytics Cloud - Classic, you don’t need to create the load balancer (you can skip steps 2 and 3).
Note:
This topic describes how to deploy Oracle Analytics Cloud - Classic on a basic IP network to help you get started. If your organization has more complex network configuration requirements, work with your networking team to perform all the required configuration. For example, if you have multiple IP networks you must set up an IP network exchange. See Workflows for Using IP Networks in Using Oracle Cloud Infrastructure Compute Classic.To deploy Oracle Analytics Cloud - Classic on an IP network: