1. Administering Oracle Analytics Cloud - Classic
  2. Manage Service Access and Security

4 Manage Service Access and Security

By default, Oracle Analytics Cloud - Classic services are accessible only through HTTP, secure protocols like SSL and SSH, and only using specific ports. You can customize the default security configuration to support different access rules and security policies.

Topics:

Manage SSH Access

To make things easy, you view and manage SSH keys for all the services in your Oracle Analytics Cloud - Classic identity domain from the same page.

If you lose the SSH private key used to access a service lost or it gets corrupted, you can add a new public key for that service. Or maybe you need to add a new public key to comply with your organization’s new security policies or regulations.

  1. In Oracle Cloud Infrastructure Console, navigate to Analytics Classic.
  2. To view or add SSH keys for a particular service, click Manage this service, and then select SSH Access to add or edit SSH keys assigned to that service.
  3. To view or add SSH keys for any service in the identity domain, select the SSH Access tab.

    A list of services and their current details are displayed.

    • Use the Search fields to find services by their name and type.

    • View or edit the SSH public keys assigned to the VMs in your service.

    • Add a new key for a service by clicking Add New Key.

Control Access to Service Components

You use access rules to control network access to Oracle Analytics Cloud - Classic.

  1. In Oracle Cloud Infrastructure Console, navigate to Analytics Classic.
  2. Select Manage the service for the service you want to add access rules for.
  3. Select Access Rules.
  4. Click Create Rule to set up a new access rule for your service.
  5. Enter a unique name for the access rule.
    The name must begin with a letter, and can contain numbers, hyphens, or underscores. The length can't exceed 50 characters or include the prefix ora_ or sys_.
  6. Optional: Specify a description for the rule.
  7. Select or enter a source — the host from which traffic should be allowed.

    • PUBLIC-INTERNET — Any host on the internet.

    • BI_ANALYTIC_SERVER — Server for Oracle Analytics Cloud - Classic.

    • DBaaS — The cloud database you specified when you created the service. If your service instance is configured with more than one database you can select which database to use for the source.

    • custom — A custom list of addresses from which traffic is allowed. In the field that is displayed when you select this option, enter a comma-separated list of the subnets (in CIDR format, such as 192.123.42.1/24) or IPv4 addresses for which you want to permit access.

  8. Select or enter a destination for the rule, a service component to which traffic should be allowed.
    The same options as the previous step are available. The source and the destination must be different.
  9. Specify one or more ports through which the source will access the destination.
    You can specify a single port or a range of ports (such as 7001–8001).

    • 80 – HTTP access to Oracle Analytics Cloud - Classic (closed by default for services using Oracle Identity Cloud Service)

    • 443 – HTTPS access to Oracle Analytics Cloud - Classic (closed by default for services using Oracle Identity Cloud Service)

    • 1521 - Database

    • 10000 – Spark

    • 22 – SSH

    • 5902 – VNC

  10. Select the transport protocol (TCP or UDP) with which the source will access the destination.
  11. Click Create.
  12. To manage access rules on the Access Rules page, click the Menu icon and choose an option.

    • Enable — You can enable rules with the rule type USER or DEFAULT. You can't enable a rule if the rule type is SYSTEM.

    • Disable — You can disable rules with the rule type USER or DEFAULT. You can't disable a rule if the rule type is SYSTEM.

    • Delete — You can delete rules with the rule type USER. Rules of type USER can be deleted. You can't delete a rule if the rule type is SYSTEM or USER.

Manage Access Rules

There are different types of access rules: user, default, and system. As administrator, you can enable and disable user and default access rules as required. You’re allowed to delete only user access rules.

  1. In Oracle Cloud Infrastructure Console, navigate to Analytics Classic.
  2. Select Access Rules.
  3. Click the Actions icon and select an option.

    • Enable —You can enable rules of type USER or DEFAULT. You can’t enable rules of type SYSTEM.

    • Disable — You can disable rules of type USER or DEFAULT. You can’t disable rules of type SYSTEM.

    • Delete—You can delete rules of type USER. You can’t delete rules of type DEFAULT or SYSTEM.

Assign Users to Application Roles with Oracle Identity Cloud Service

As administrator, you can assign users certain permissions in Oracle Analytics Cloud through Oracle Identity Cloud Service.

Topics

About Application Role Assignment with Oracle Identity Cloud Service

When you set up an Oracle Analytics Cloud instance, an application dedicated to that instance is automatically created in Oracle Identity Cloud Service.

If you want to, you can assign user permissions through this application.

Note:

You don’t have to use Oracle Identity Cloud Service. You might prefer to assign user permissions to application roles through the Console. See Configure What Users Can See and Do Using the Console.

The Oracle Identity Cloud Service application for your Oracle Analytics Cloud instance includes several predefined application roles (ServiceAdministrator, ServiceUser, ServiceViewer) that map to a set of predefined application roles in Oracle Analytics Cloud.

Description of app-roles.jpg follows
Description of the illustration app-roles.jpg

To understand more about the predefined Oracle Analytics Cloud application roles, see About Application Roles.

Grant Application Roles with Oracle Identity Cloud Service

As administrator, you can grant users to application roles in Oracle Analytics Cloud using Oracle Identity Cloud Service.

  1. Sign in to your Oracle Cloud account.
  2. In Oracle Cloud Infrastructure Console, click Navigation menu icon in the top left corner.
  3. Click OCI Classic Services. Under Platform Services, click Analytics Classic.
  4. On the Instances page, click the name of the service you want to manage.
  5. On the Instance overview page, click Show more, and then click the name of the IDCS Application that is associated with this Oracle Analytics Cloud instance.
  6. On the Oracle Identity Cloud Service application page, click Application Roles.
  7. Select an application role, and click the Menu for the specific role.
  8. From the menu list, select Assign Users.
  9. On the Assign Users page, select the users, and click OK.

Replace the Self-Signed Certificate for Secure HTTP Access

Doesn't apply to services using Oracle Identity Cloud ServiceThis topic does not apply to Oracle Analytics Cloud services using Oracle Identity Cloud Service with Oracle Cloud Infrastructure Load Balancing Classic.

Secure Socket Layer (SSL) is the most commonly used method of securing data sent across the internet and assures visitors that transactions with your application are secure.

When you create a service with Oracle Analytics Cloud - Classic and you choose to use WebLogic embedded LDAP server for identity management (instead of Oracle Identity Cloud Service with a Load Balancer), a self-signed certificate is generated. This certificate is intended to be temporary, so you must replace it with a certificate and key signed by Certificate Authority (CA) that HTTP access from browsers are configured to trust; for example, a commercial CA built into the browser by the browser vendor. The temporary certificate expires one year after service creation.

For production environments, use a CA-issued SSL certificate. For development environments, you can use either a CA-issued or self-signed certificate.

  1. Access the SSH client, using a tool such as PUTTY.
  2. Enter the host using your private key.
  3. For BI and Essbase services, use the script proxy_register_ssl_private_key. See Register SSL Private Keys with the HTTP Proxy for a Nonmetered Service (BI Service Script).

Redirect HTTP Traffic to HTTPS

By default, both HTTP and HTTPS access to the Oracle Analytics Cloud URL is enabled. For BI services, you can redirect HTTP traffic to HTTPS using the script proxy_redirect_http_to_https.

See Redirect HTTP Calls to HTTPS (BI Service Script) and Run Administration Scripts.

Connect with EssNet over HTTP

You can connect with EssNet from any software using Essbase Runtime Client (RTC) over HTTP protocol without opening ports or performing extensive configuration.

To connect with Agent using Discovery URL, point the server address to the specific endpoint as follows: https://host/essbase/agent. This RTC endpoint is a "discovery URL", which automatically selects the connection type and routes clients, whether connecting from inside or outside of the firewall.

When you use RTC, use cURL to connect with HTTP endpoints.

When you use SSL encrypted communication, you must enable the Essbase libcurl library to set up a secure channel. Specify the location of the certificate authority (CA) certificate, or use the default provider. Choose one of the following options.

API_CAINFO=CA certificate file path

or

API_CAPATH=directory path containing CA certificates

You can download a CA certificate file. One sample source is: https://curl.haxx.se/docs/caextract.html.

If you’re using a self-signed certificate, you must add it to the CA certificate file.

Manage Credentials

From time to time you might need to update credentials for services and databases used by Oracle Analytics Cloud - Classic.

You can update passwords for the associated database, cloud storage, and the WebLogic administrator.

Update the Database Password for an Essbase Service

You set the database administrator credentials when you set up your Essbase service.

You can update the password using a script. See Update Database Credentials (Essbase Service Script).

Update the Database Password for a BI Service

You select a cloud database and set the database administrator credentials when you set up Enterprise Business Intelligence and Data Visualization services. If the database administrator password for this Oracle Database Classic Cloud Service changes or expires, you can use the reset_schema_password script to update the password that your BI service uses to access its schemas.

See Update Database Credentials (BI Service Script).

Update WebLogic Administrator Passwords for a BI Service

If you have a traditional metered or nonmetered subscription to Oracle Analytics Cloud - Classic, you use WebLogic Embedded LDAP Server for identity management.

You set the WebLogic administrator credentials when you set up your BI service. You can update the password using a script. See Change the WebLogic Administrator Password (BI Service Script)

Update Cloud Storage Passwords

Oracle Analytics Cloud - Classic uses containers in Oracle Cloud Infrastructure Object Storage Classic to store analytics datasets and backups.

Sometimes, you might need to update the credentials Oracle Analytics Cloud - Classic uses to access Oracle Cloud Infrastructure Object Storage Classic. For example, when you try to back up or restore your Oracle Analytics Cloud - Classic service and you receive an access denied error message because the storage credentials are out of sync.

To update the password required to access the storage container:

  1. In Oracle Cloud Infrastructure Console, navigate to Analytics Classic.
  2. Click the name of the service that you need to update.
  3. Click Manage this Instance menu icon, and select Instance Credentials.
  4. Enter the name of the user with read/write access to Oracle Cloud Infrastructure Object Storage Classic that you specified when you created this service.
  5. Enter the updated password for this user.
  6. Click Update.
  7. Restart your service.

Deploy Oracle Analytics Cloud - Classic on an IP Network

You can deploy Oracle Analytics Cloud - Classic and its associated Oracle Database Classic Cloud Service on an IP network. If you use Oracle Identity Cloud Service with Oracle Analytics Cloud - Classic, you perform all the tasks in this topic. If you use the embedded LDAP server with Oracle Analytics Cloud - Classic, you don’t need to create the load balancer (you can skip steps 2 and 3).

Note:

This topic describes how to deploy Oracle Analytics Cloud - Classic on a basic IP network to help you get started. If your organization has more complex network configuration requirements, work with your networking team to perform all the required configuration. For example, if you have multiple IP networks you must set up an IP network exchange. See Workflows for Using IP Networks in Using Oracle Cloud Infrastructure Compute Classic.

To deploy Oracle Analytics Cloud - Classic on an IP network:

  1. In Oracle Cloud Infrastructure Classic Console, navigate to the Compute Classic page to create an IP network.
    Note down the name of the IP network.
    See Create an IP Network in Using Oracle Cloud Infrastructure Compute Classic.
  2. On the Compute Classic page, create a load balancer for the IP network.

    • IP Network — Select the IP network you created in step 1.

    • Scheme — Select Internet Facing if you want the load balancer to accept traffic from the internet (that is, a public load balancer). Or select Internal, if you want the load balancer to accept requests only from the specified IP network.

    Make a note of both settings. When you set up Oracle Analytics Cloud - Classic, you must provide the name of the IP network and specify whether its associated load balancer is public or private.

    See Create a Load Balancer in Using Oracle Cloud Infrastructure Compute Classic.
  3. (Oracle Identity Cloud Service only) Verify that the load balancer you created is available. Check that the Status is Enabled and State is Healthy.
    See Verify a Load Balancer Configuration in Using Oracle Cloud Infrastructure Load Balancing Classic.
  4. Navigate to the Database Classic page, and create a custom database deployment on the IP network you created in step 1.
    Oracle Analytics Cloud - Classic uses Oracle Database Classic Cloud Service to store Oracle Analytics Cloud - Classic schemas and data. You must deploy Oracle Analytics Cloud - Classic in the same region and availability domain as the database service.
    See Create a Customized Database Deployment in Administering Oracle Database Classic Cloud Service.
    Oracle Database Classic Cloud Service doesn’t have to be deployed on the same IP network as Oracle Analytics Cloud - Classic. If you decide to deploy Oracle Database Classic Cloud Service and Oracle Analytics Cloud - Classic on different IP networks, you must create an IP network exchange that enables communication between the two IP networks.
  5. Navigate to the Analytics Classic page, and create an Oracle Analytics Cloud - Classic instance on the same IP network.

    • Region and Availability Domain — Select the same region and availability domain where you deployed the database earlier.

    • IP Network — Select the name of the IP network you created earlier.

      • Assign Public IP — Select this option if you want any node created for this service to have a public IP address.

      • Public Load Balancer — Select this option if the load balancer you created for the IP network is Internet Facing.

    • Database Service Name — Select the database that you created in this IP network.

  6. Navigate to the Analytics Classic page, click the Manage this instance icon for the service, and then click Oracle Analytics Cloud URL to verify that the service is running.