- Add OID to the Authentication Provider List
- Configure the OID Authenticator with required credentials
- Configure the authentication control flag
- Re-configure the authentication sequence
- Validate that the OID users and groups are appearing in weblogic
In this post we will move to the Oracle 11g Enterprise Manager : Fusion Middleware (located in :7001/em/ )
Step 1: Configure the user name and virtualization attributes within the Fusion Middleware Identity Store
In the Weblogic Domain folder navigate to Security -> Security Provider Configuration menu option
then click 'Configure':
You will need to add the following 3 custom properties:
| Property | Value |
| user.login.attr | Specify the User Name Attribute that is set in the authentication provider. For example, if the User Name Attribute is set to mail in the authentication provider, then set this value to mail. |
| username.attr | Specify the User Name Attribute that is set in the authentication provider. For example, if the User Name Attribute is set to mail in the authentication provider, then set this value to mail. |
| virtualize |
TRUE
|
Step 2: Add BISystemUser to the BISystem Application Role
After clicking 'OK', navigate to the Application Roles screen as follows:
2.a) Click BISystem under the rolename column. You should see a user called 'BISystemUser' under Membership for BISystem' table
You might ask yourself, 'Why do I need to add the BISystemUser to the BISystem Application Role if that user is already a member?'
And the answer is: YOU DON'T! But why? Remember the prerequisite in part 1 was to have a BISystemUser created in OID? That was because OBI uses a specific user for each configured authenticator for internal communication within weblogic. Furthermore, each configured authenticator needs to be a member of the BISystemUser application role for Administrator privileges.
Rather than maintaining separate pseudo BISystemUser accounts in each authenticator, Oracle recommends 1 BISystemUser for all authentication providers . Although, if you decided to maintain a BISystemUser in your OID under a different alias, you would need to add the user to the BISystemUser Application Role as outlined above.
After clicking 'OK', Navigate to the Credential Store Provider screen as follows:
3.a) expand the oracle.bi.system folder and edit the 'system.user' credential
3.b) Modify the system.user key to specify your 'OID' BISystemUser
If you've been paying attention, you should be asking yourself 'What about the BISystemUser in the Default Authenticator?'
Answer: If you do not change your default authenticator password to match the BISystemUser password in your OID, then you will not be able to authenticate any weblogic system users in answers. You will get an error:
| ||||||
I made this a high level step rather than a sub step to emphasize the importance. If this step is skipped, you will not be able to log into weblogic with any system users.
Navigate to the Weblogic Server Admin Console (:7001/console/) -> Security Realm -> myrealm -> Users and Groups -> Users -> BISystemUser (DefaultAuthenticator)
*note that if your OID system has more than 1000 users then you will have to click the 'Customize this table' link and search for BISystemUserMake the BISystemUser password in your default authenticator the same password as BISystemUser in your OID authenticator
Step 5: Add BISystemUser to the Global Admin Role
Navigate to Security Realm -> myRealms -> Roles and Policies -> Realm Roles -> Global Roles -> Roles -> Admin -> View Role Conditions
then...
and finally add 'BISystemUser' under 'User Argument Name'
At 'Edit Global Roles', your screen should look like:
Step 6: Add BISystemUser to the JMS OBI Module
Navigate to Services -> Messaging -> JMS Modules -> BIpJmsResource -> Security Tab -> Policies Sub Tab and add the BISystemUser in a similar fashion as in step 5
After adding BISystemUser, your 'Settings for BipJmsResource' page should look like:
Step 7: Set the Control Flag in your defaultAuthenticator to 'OPTIONAL'
A control flag of optional indicates that authentication can fail or succeed with the specified provider. If the provider succeeds, it will continue down the authentication list. If tf the provider fails, it will also continue down the authentication list. This is ok because we've specified the DefaultAuthenticator as the last authentication provider on the list.
Navigate to : Security Realm -> myRealms -> Providers -> Authentication -> Default Authenticator -> Configuration -> Common
Step 9: Validate OID Authentication by logging into Answers:
and finally if you were to look at the bi_server1-diagnostic.log in Fusion Middleware , it would confirm the OID authentication as follows:
Next I will cover OID Authentication in 11g while using external databases to store groups.
keywords: OBIEE 11g security, ldap authentication, weblogic authentication provider, obiee ldap, obiee authentication, alternate authentication providers
OBIEE , OES , OID integration.I created a dashboard/analysis on obiee analytics. I assigned it some permissions such as read access to particular role. I have configured LDAP based security configuration.Now i want to store the permissions in the connected OID. Currently it stores the permissions/ access control list in .atr file in some hex data format.
ReplyDeleteI want to configure OES for setting permissions for my dashboard / analysis which will ultimately store the permissions data into OID. Is it possible.
For that i want to configure permissions access through OES which will ultimately store the access information into OID.
There is also a tool known as OBI Catalog manager through which we can configure the permissions/ access control list for our dashborad/analysis, but the problem is it stores these access data in .atr file. I want to store these access data into my OID.
Please correct me if my understanding is incorrect.