FYI: OBIEE 10g to 11g Upgrade Process Validation Plan and bug 1467168.1 (Multiple Pie Charts Displayed for a Pivot Table)

So you've just completed your 10g repository and web catalog upgrade to Oracle's new 11g platform, congratulations! Per Oracle's Fusion Middleware Upgrade Guide for OBIEE 11g you're now ready to to perform, in my opinion, the most difficult task of the upgrade process : the validation of the upgraded environment (as pictured below):

A comprehensive OBIEE validation plan should include the following:

1. A thorough comparison of functionality of existing reports in the web catalog
2. Confirmation of customizations in the repository, including but not limited to:
1. level based measures
2. physical/bmm star schema
3. complex joins
4. derived measures
5. hierarchies
6. variables (session, static, dynamic)
3. Security - the upgrade to 11g will require you to make security changes to your 10g model, so customization is required, but you'll want to confirm the following none the less:
1. object level security in the web catalog
2. data level security in the repository
1. note* that any filters applied to your Groups in the 10g rpd will not be present in the 11g RPD as groups have been removed from the metadata layer completely

Security Manager 10g:

Security (Identity) Manager 11g:

Now as you complete step 1 of your validation plan ( A thorough comparison of functionality of existing reports in the web catalog)

You notice that all of your 10g pivot table pie charts are all being generated incorrectly! Rather than 1 pie with x slices, your 11g pivot table pie charts are x pies each with one slice.

10g pivot table pie chart:

11g pivot table pie chart:

Before you begin the process of estimating hours to manually re-configure every pie chart in your system, WAIT!

This is actually a known 11.1.1.6.0  bug [ID 1467168.1] which can be fixed using Oracle's oPatch software and Patch 14003822 via Oracle Support

The steps on how to apply this patch, or even utilizing oPatch in general, are hazy at best so below is a step by step outline on using oPatch w/ Patch 14003822 :

Step 1: Identify your oPatch directory

Normally located in your $ORACLE_HOME/opatch directory. After identifying your directory, add the oPatch path to your system PATH variable as you'll be running the 'opatch' application from command line.

Step 2:  Confirm core oPatch files exist 

By running the following via command line:

  - opatch lsinventory -jre $ORACLE_HOME/jdk/jre
Your output should be familiar to the screen below:

Step 3:  Install  Patch 14003822

Navigate to the directory that contains your unzipped Patch folder 14003822 and perform the following command:

   - opatch apply -jre $ORACLE_HOME/jdk/jre
Your screen should be similar to:

A successful patch will result in the following message:

Step 4: Validate Changes

BEFORE:



AFTER:

Original 10g chart for reference:





keywords: obiee 10g to 11g upgrade, 1467168.1, obiee 11g pie charts, obiee 11g upgrade, obiee 11g roadmap

FYI: ORACLE_HOME Environment Variable and OBIEE 11g RPD error ORA-12154

Consider the scenario where you've been asked to install a fresh 11g stack on a server. A normal OBIEE 11g stack includes:

• 11g database
• Repository via RCU
• 11g weblogic domain
• Admin Server
• Managed Server scaled out n times for each ManagedServer instance
• OBIEE 11g (managed within the weblogic domain)
• 11g presentation server
• 11g client tools

Due to financial constraints, you've been asked to install the 11g database, 11g weblogic domain and 11g presentation server on a single server. This in its self is not an issue, and is common practice, especially for proof of concepts.

In a standard 11g database install, you'll set your $ORACLE_HOME variable to ..\.\

product\11.2.0\dbhome_1\

This is where you'll store your TNSNames.ora and SQLNet.ora files. These files are critical because they determine the database addresses needed for establishing a collection. Your default tnsnames.ora file will most likely include your localhost.  See below for an example:

Now you've installed the database, created the RCU and you're ready to install & configure Fusion Middleware (formally 10g's Enterprise Manager).

But wait! Fusion Middleware's Configuration Guide says create an ORACLE_HOME environment variable and set it to OBIEE 11g's database path:  app\11g\mw_home

See table below:

 

OBIEE 11g ORACLE_HOME	app\11g\MIDDLEWARE_HOME
Oracle 11g database ORACLE_HOME	app\CookJR\product\11.2.0\dbhome_1

What do you do?

Keep your ORACLE_HOME environment variable set to your DB path and make sure any datasources you add as a physical layer of the RPD are added to the ORACLE_HOME db path and not the 11g ORACLE_HOME

This is critical because during the configuration of your OBIEE system within 11g you'll be required to set the ORACLE_HOME path twice:

1. When you configure your Oracle Identity Store to utilize an external database
2. When you update your tnsnames.ora file to contain the physical data sources of your connection pool within the RPD

If you fail to adhere to this policy, you will encounter the following error when you create a connection pool in your physical layer:

ORA-12154: TNS:could not resolve the connect identifier specified at OCI call OCIServerAttach. [nQSError: 17014] Could not connect to Oracle database. (HY000)

This is actually a known Oracle Bug (Search OTN ID 129637.01) and if you encounter this error , relax the fix is quick:

STEP 1: Edit registry under HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\<Oracle_Home> to make sure NLS_LANG key is set to a valid characterset for the Oracle Client used as the DSN.

STEP 2: Edit the file %MiddleWare_Home%\instances\instance1\bifoundation\OracleBIApplication\coreapplication\setup\bi-init.cmd to set %ORACLE_HOME%\bin as first entry in the PATH.
e.g.

set PATH=%OBIEE_HOME%\bin;%OBIEE_HOME%\bifoundation\server\bin;%OBIEE_HOME%\bifoundation\web\bin;C:\Oracle\BIEE_11g\jre\bin;%windir%;%windir%\system32;%PATH%

STEP 3 Please edit the file %MiddleWare_Home%\instances\instance1\bifoundation\OracleBIApplication\coreapplication\setup\user.cmd to set TNS_ADMIN to your Oracle client tnsnames.ora home directory path (in case exists) or to your OBIEE tnsadmin %OBIEE_Client_Home%\Oracle_BI1\network\admin.
e.g.

set TNS_ADMIN=C:\oracle\product\11.2.0\client_1\network\admin

Oracle Technical Network says you can't test this in online mode, but it is possible by creating a new connection pool and then attempting to 'Import Metadata'. No reboot is required. 

If you pass Step 1:

you have successfully connected to your physical data source using the tnsnames.ora file located in your

app\CookJR\product\11.2.0\dbhome_1 folder. Congrats!

keywords : obiee 11g upgrade, obiee ORACLE_HOME variable, obiee 11g guide, obiee 11g installation, ORA-12154

FYI: Identity found in Weblogic but could not be authenticated (OBI-SEC-00022, OVD-40066)

During most 11g implementations, a practitioner will be required to implement a security policy that allows OBIEE 11g Answers to authenticate against an external data source (such as OID , ADUC, or even an external database). Infact, I've even posted a how-to on integrating Oracle Internet Directory as an authentication source with 11g Answers .

During the security integration process, Oracle's technical documentation recommends that the practitioner should verify that the Users and Groups are visible in Weblogic Admin Console before completing the implementation process.   See the screen below for an example of a fairly common Users and Groups section:

Nothing too spectacular. You'll see that the user i've filtered on has 'myOIDDirectory' (the name of my OID authentication provider) listed as its source.

Per Oracle's technical documentation, we would mark this as a success and move on.

Now you attempt to log into Answers 11g and the authentication fails:

Your real time log now says the following: 

SecurityService::authenticateUserWithLanguage [OBI-SEC-00022] Identity found but could not be authenticated

and your bi_server1-diagnostic.log confirms:

Relax, you're not alone, and the fix is quick : If you've configured an external authentication provider using Oracle Internet Directory or Active Directory , OBI-SEC-00022 most likely means you've provided the correct User Base DN but at the wrong level.

For example (using OID):

If your OID tree is : cn=team,cn=users,cn=company,dc=trusted,dc=oracle,dc=dev - meaning that your user list is under the cn=team branch (reading left to right, cn=company being the root), then you need to specify your User Base DN one level above that branch. In this case, your User Base DN would be

cn=users,cn=company,dc=trusted,dc=oracle,dc=dev

Although not specifically stated in the Fusion Middleware Security Guide , your User Base DN should be one level above the branch that contains your users.

Also, make sure your Principal DN specifies the full path. 

For example:

If you're authenticating with cn=orcladmin, your Principal DN cannot be cn=orcladmin. It should be:

cn=orcladmin,cn=team,cn=users,cn=company,dc=trusted,dc=oracle,dc=dev  - assuming that the orcladmin account is under the cn=team directory.

keywords: obiee 11g security, obiee ldap authentication, OBIEE-SEC-00022, OVD-40066, OBIEE OID authentication, weblogic authentication provider

FYI: Enabling Virtualization (virtualize=true) and OBI-SEC-00015

Many OBIEE blogs that discuss external authentication with obiee 11g (including my recent post on OID integration ) specify that a virtualize=true parameter is required for the configuration of Fusion Middleware's Identity Store. Even Oracle's own technical documentation specify this as a required parameter when dealing with multiple authentication sources.

Here is an example of a common Identity Store configuration w/ OID and a default authenticator:

Yet a quick google search will tell you that many practitioners have encountered problems (or so they think) with the virtualize = true parameter during their external authentication implementation.

What does the virtualize=true parameter mean?

If you are implementing multiple authentication providers, you need to 'enable' Fusion Middleware applications to see all the users, groups, and roles within the Weblogic Administration Console.   This is accomplished with Oracle Virtual Directory (OVD). Oracle Virtual Directory is an LDAP service that provides virtualized abstraction of multiple data sources into a single view.  By specifying virtualize=true, Fusion Middleware utilizes the OVD service as the mechanism for identifying, storing, and accessing users and groups across multiple authentication systems.


Does DefaultAuthenticator count as an authentication source?

When implementing weblogic 11g/obiee out of the box, a weblogic defaultAuthenticator is provided with 3 system accounts : BISystemUser, OracleSystemUser, and weblogic. Multiple posts have been created on Oracle Technical Network questioning the need to count the default authenticator as an authentication source.

What happens we do not count Default Authenticator as an authentication source, there by eliminating the need for virtualize=true?

If you're encountering a scenario where you have an external LDAP authentication (OID, ADUC) as well as the default authenticator for system users, and you remove the virtualize=true paramater in the Identity Store, you will still be able to log into OBIEE 11g Answers w/ your OID/ADUC users.

But try logging in with a System User (e.g. weblogic or OracleSystemUser): You will encounter OBI-SEC-00015 error:

Error Message From BI Security Service: SecurityService::authenticateUserWithLanguage [OBI-SEC-00015] Unable to find user in identity store

An examination of your bi_server1-diagnostic.log will confirm the error:

 Conclusion?

• The DefaultAuthenticator does count as an authentication source
• If you are going to implement an external authentication provider and use the DefaultAuthenticator, virtualize=true is needed for the DefaultAuthenticator system users

If you are unable to log into Answers 11g with your OID/ADUC users, the problem is most likely not the virtualize=true flag.   Review your configuration settings, search OTN, and remember - virtualize=true is needed!



keywords : OBIEE 11g authentication, ldap authentication, weblogic authentication provider, OBI-SEC-00015, virtualization, external groups authentication

How-to: Oracle Internet Directory Authentication with OBIEE 11g - Part 2

In our part 1 of 'Internet Directory Authentication with OBIEE 11g' we used weblogic to:

1. Add OID to the Authentication Provider List
2. Configure the OID Authenticator with required credentials
3. Configure the authentication control flag
4. Re-configure the authentication sequence
5. Validate that the OID users and groups are appearing in weblogic

In this post we will move to the Oracle 11g Enterprise Manager : Fusion Middleware  (located in :7001/em/ )

Step 1: Configure the user name and virtualization attributes within the Fusion Middleware Identity Store

In the Weblogic Domain folder navigate to Security -> Security Provider Configuration menu option

then click 'Configure':

You will need to add the following 3 custom properties:

Property	Value
user.login.attr	Specify the User Name Attribute that is set in the authentication provider. For example, if the User Name Attribute is set to mail in the authentication provider, then set this value to mail.
username.attr	Specify the User Name Attribute that is set in the authentication provider. For example, if the User Name Attribute is set to mail in the authentication provider, then set this value to mail.
virtualize	TRUE

Step 2:  Add BISystemUser to the BISystem Application Role

After clicking 'OK', navigate to the Application Roles screen as follows:

2.a) Click BISystem under the rolename column. You should see a user called 'BISystemUser' under Membership for BISystem' table

You might ask yourself, 'Why do I need to add the BISystemUser to the BISystem Application Role if that user is already a member?'

And the answer is: YOU DON'T! But why? Remember the prerequisite in part 1 was to have a BISystemUser created in OID? That was because OBI uses a specific user for each configured authenticator for internal communication within weblogic. Furthermore, each configured authenticator needs to be a member of the BISystemUser application role for Administrator privileges.

Rather than maintaining separate pseudo BISystemUser accounts in each authenticator, Oracle recommends 1 BISystemUser for all authentication providers  . Although, if you decided to maintain a BISystemUser in your OID under a different alias, you would need to add the user to the BISystemUser Application Role as outlined above.

Step 3: Add your OID BISystemUser to the Credential Store Provider

After clicking 'OK', Navigate to the Credential Store Provider screen as follows:

3.a) expand the oracle.bi.system folder and edit the 'system.user' credential

3.b) Modify the system.user key to specify your 'OID' BISystemUser

If you've been paying attention, you should be asking yourself 'What about the BISystemUser in the Default Authenticator?'

Answer: If you do not change your default authenticator password to match the BISystemUser password in your OID, then you will not be able to authenticate any weblogic system users in answers. You will get an error:

Error Message From BI Security Service: SecurityService::authenticateUserWithLanguage [OBI-SEC-00015] Unable to find user in identity store When attempting to log into Answers with a weblogic user such as OraclesSystemUser or weblogic (BISystemUser will work because you've specified myOIDDirectory as sufficient and ranked it higher priority on the provider list than your default authenticator).

Step 4:  Change your default authenticator BISystemUser password to match the BISystemUser password in OID

I made this a high level step rather than a sub step to emphasize the importance. If this step is skipped, you will not be able to log into weblogic with any system users.

Navigate to the Weblogic Server Admin Console (:7001/console/) -> Security Realm -> myrealm -> Users and Groups -> Users -> BISystemUser (DefaultAuthenticator)


 *note that if your OID system has more than 1000 users then you will have to click the 'Customize this table' link and search for BISystemUser


Make the BISystemUser password in your default authenticator the same password as BISystemUser in your OID authenticator

  Step 5: Add BISystemUser to the Global Admin Role

Navigate to Security Realm -> myRealms -> Roles and Policies -> Realm Roles -> Global Roles -> Roles -> Admin -> View Role Conditions

then...

then..

and finally add 'BISystemUser' under 'User Argument Name'

At 'Edit Global Roles', your screen should look like:

Step 6: Add BISystemUser to the JMS OBI Module

Navigate to Services -> Messaging -> JMS Modules -> BIpJmsResource -> Security Tab -> Policies Sub Tab and add the BISystemUser in a similar fashion as in step 5

After adding BISystemUser, your 'Settings for BipJmsResource' page should look like:

Step 7: Set the Control Flag in your defaultAuthenticator to 'OPTIONAL'

A control flag of optional indicates that authentication can fail or succeed with the specified provider. If the provider succeeds, it will continue down the authentication list. If tf the provider fails, it will also continue down the authentication list. This is ok because we've specified the DefaultAuthenticator as the last authentication provider on the list.

Navigate to : Security Realm -> myRealms -> Providers -> Authentication -> Default Authenticator -> Configuration -> Common

Step 8: Activate Changes and restart Admin Server & BI Service

Step 9: Validate OID Authentication by logging into Answers:

and finally if you were to look at the bi_server1-diagnostic.log in Fusion Middleware , it would confirm the OID authentication as follows:

Next I will cover OID Authentication in 11g while using external databases to store groups.


keywords: OBIEE 11g security, ldap authentication, weblogic authentication provider, obiee ldap, obiee authentication, alternate authentication providers

How-to: Oracle Internet Directory Authentication with OBIEE 11g - Part 1

Consider the scenario where you're configuring a proof of concept 11g implementation using Oracle Internet Directory as the authentication provider. Oracle's Fusion Middleware Security Guide for 11g certainly provides you with a bird's eye view of how to configure OBIEE 11g to integrate with web logic's OID LDAP authentication provider but in this how-to I will digress slightly and present a detailed, step by step guide on how to configure your OBIEE 11.1.1.6 system to use OID LDAP authentication for users.

This how-to is a culmination of the countless posts on Oracle Technical Network requesting additional help with implementation and will provide the user answers to the most common OBI and OVD (Oracle Virtual Directory) errors that you typically encounter in this proces, including: OVD-40666, OBI-SEC-00022, OBI-SEC-00015, and LDAP error code 32.

At the end of this how-to, any user within OID will be able to log into OBIEE 11g Answers.

Note that if you're using OID as the authentication provider but storing groups in an external database table, this also serves as a suitable 'step 1' prior to implementing the groups authentication model (to be covered at a later date)

Prequisities:

Your Oracle Internet Directory must have the following users:

• BISystemUser
• BIAuthor
• BIConsumer
• BIAdministrator

These are out-of-the-box weblogic users that weblogic uses in its defaultauthenticator for users, groups, and application roles.

If you are using Oracle Internet Directory to store groups, then it must include the following weblogic out of the box groups:

• BIAdministrators
• BISystemUsers
• BIAuthors
• BIConsumers

Step 1: Add Oracle Internet Directory as an Authentication Provider in Weblogic Administration Console

1.a) Navigate to Security Realm -> myRealm -> Providers -> Authentication -> New 

to add an OID Authentication Provider

* Note that at this point, you  will not  see myOIDDirecotory in your Authentication Provider. You will be adding this authentication provider in the next steps. Your only two authentication providers should be: DefaultAuthenticator and DefaultIdentityAsserter

1.b) After Clicking 'New', populate the 'Create a new Authentication Provider' screen as outlined below:

1.c.) After clicking 'Ok' Your myOIDDirectory Authenticator Provider will appear on the Authentication Provider list below: Click 'myOIDDirectory' to begin the configuratin of the Provider Specific information:

Step 2:  Configure the myOIDDirectory Authentication Provider with required connection details

 2.a) After clicking 'myOIDDirectory' navigate to 'Configuration' -> Provider Specific  as seen below:

The correct configuration of Host, Port, Principal, and Credential is required before proceeding to step 2.b.. If you are unfamiliar with Oracle Internet Directory, it is recommended that consult your OID Administrator for assistance. Here is a breakdown of each required field.

Host is the ip address of your company's OID LDAP server.

Port represents the port number that the OID LDAP server utilizes for listening & communication

Principal  represents the distinguished name (DN) or 'orcladmin' account needed to connect the OID LDAP server.  Yes that is correct, you will need a cn=orcladmin or equivilent account for communication to the OID LDAP server.  We have tested leaving the Principal and Credential field blank even if anonymous binding is enabled, with no success.

Your principal  DN should represent the full path to the orcladmin account and not just cn=orcladmin. 

For example: If your cn=orcladmin (or equivilant) account is under :

cn=Users,dc=trusted,dc=oracle,dc=com 

Then the above Principal DN should be : cn=orcladmin,cn=Users,dc=trusted,dc=oracle,dc=com . It is not sufficient to only include cn=orcladmin

Credential/Confirm Credential represents the password of the cn=orcladmin (or equivalent) account.

Failure to correctly configure the host/port/prinicpal settings will most likely result in one of the following errors:

• OBI-SEC-00004 Unable to initialize oracle.bi.security.service.SecurityWebService
• OVD-60024 Connection error: [LDAP: error code 49 - Invalid Credentials].
• OBI-SEC-00028 System User could not be authenticated
• OBI-SEC-00003 OVD-60143 Unable to create connection to ldap:// 

 2.b)  Configure remaining required settings

 

 User Base DN represents the OID tree branch path that stores the users .

NOTE: Here is where many people misconfigure their OID Authentication Provider in web logic. Oracle's Fusion Middleware Security Guide does not explicitly state this, but your User Base DN needs to be 1 level higher than the tree branch which stores your user list.

For example:

If your OID that contains your users is:  cn=Users,dc=trusted,dc=oracle,dc=com  , then your User Base DN needs to be: dc=trusted,dc=oracle,dc=com.

Failure to appropriately configure this step will result in OBI-SEC-00022 error:

SecurityService::authenticateUserWithLanguage [OBI-SEC-00022] Identity found <username> but could not be authenticated

 which means that Oracle was able to find the user in the web logic console under 'Users and Groups' but could not complete the authentication against OID.

User Name Attribute  specifies the OID attribute which you want to use to authentication. If you want to use the user's email address, the User Name attribute would be mail. In this example, I will use the common name (cn) .

User Object Class  specifies the tree branch in OID that contains the users. Out of the box OID implementation uses 'person' , but in this example i've used a custom 'Staff tree'.

Group Base DN represents the OID tree branch path that stores the groups. Similar to User Base DN, it should be 1 level higher than the tree branch which stores your groups list. If  you are using an external database table to store groups, than you can disregard this field.

Step 3: Configure the authentication control flag to sufficient

After clicking saving on 'Settings for myOIDDirectory' page, you should be back at:

3.a) Click 'myOIDDirectory'  then Configuration -> Common and change the Control Flag to 'SUFFICIENT'

A SUFFICIENT control flag indicates that if the user successfully authenticates against this provider, then weblogic will release control back to the system. But if the user fails to authenticate with this provider, weblogic will continue down the authentication provider list.

Step 4: Reorganize the authentication provider list

After clicking Save on the 'Common' tab of the Settings for myOIDDirectory, you will be back in the Authentication tab. Click 'reorder' and move myOIDDirectory to the top of the list.

and then...

4.a) After clicking 'OK' you will be taken back to the Authentication tab. Click 'Activate Changes' within the Change Center, then reboot the Admin Server & BI Service.

Step 5:  Validate your OID users are found in the 'Users and Groups' tab

After rebooting the Admin Server and BI Service you should be able to see the Users and Groups of your OID LDAP server within the Users and Groups tab under: Security Realms -> myrealms -> Users and Groups

You should also test Groups by clicking on a user within your OID directory (for example cookjr@c02) and then viewing the groups tab:

Even if you are using an external database table to store groups (and not OID), clicking on groups for a specific user should not return an error. 

"If your users do not appear on the Users and Groups tab, or viewing the groups of a specific OID user throws an error, do not proceed to step 6 and instead, review your configuration settings with your OID Administrator"

Step 6: Fusion Middleware Changes

At this stage, we are going to move to Fusion Middleware to make the required application role changes. I've decided to seperate that into part 2 which you can find here


keywords: obiee 11g authentication, ldap authentication, weblogic authentication provider, obiee 11g oid authentication, custom authentication provider