Saturday, August 25, 2012

How-to: Oracle Internet Directory Authentication with OBIEE 11g - Part 2

In our part 1 of 'Internet Directory Authentication with OBIEE 11g' we used weblogic to:

  1. Add OID to the Authentication Provider List
  2. Configure the OID Authenticator with required credentials
  3. Configure the authentication control flag
  4. Re-configure the authentication sequence
  5. Validate that the OID users and groups are appearing in weblogic

In this post we will move to the Oracle 11g Enterprise Manager : Fusion Middleware  (located in :7001/em/ )

Step 1: Configure the user name and virtualization attributes within the Fusion Middleware Identity Store

In the Weblogic Domain folder navigate to Security -> Security Provider Configuration menu option



then click 'Configure':




You will need to add the following 3 custom properties:



PropertyValue
user.login.attrSpecify the User Name Attribute that is set in the authentication provider. For example, if the User Name Attribute is set to mail in the authentication provider, then set this value to mail.
username.attrSpecify the User Name Attribute that is set in the authentication provider. For example, if the User Name Attribute is set to mail in the authentication provider, then set this value to mail.
virtualize
TRUE





Step 2:  Add BISystemUser to the BISystem Application Role

After clicking 'OK', navigate to the Application Roles screen as follows:



2.a) Click BISystem under the rolename column. You should see a user called 'BISystemUser' under Membership for BISystem' table




You might ask yourself, 'Why do I need to add the BISystemUser to the BISystem Application Role if that user is already a member?'

And the answer is: YOU DON'T! But why? Remember the prerequisite in part 1 was to have a BISystemUser created in OID? That was because OBI uses a specific user for each configured authenticator for internal communication within weblogic. Furthermore, each configured authenticator needs to be a member of the BISystemUser application role for Administrator privileges.

Rather than maintaining separate pseudo BISystemUser accounts in each authenticator, Oracle recommends 1 BISystemUser for all authentication providers  . Although, if you decided to maintain a BISystemUser in your OID under a different alias, you would need to add the user to the BISystemUser Application Role as outlined above.


Step 3: Add your OID BISystemUser to the Credential Store Provider

After clicking 'OK', Navigate to the Credential Store Provider screen as follows:





3.a) expand the oracle.bi.system folder and edit the 'system.user' credential



3.b) Modify the system.user key to specify your 'OID' BISystemUser





If you've been paying attention, you should be asking yourself 'What about the BISystemUser in the Default Authenticator?'

Answer: If you do not change your default authenticator password to match the BISystemUser password in your OID, then you will not be able to authenticate any weblogic system users in answers. You will get an error:

Error Message From BI Security Service: SecurityService::authenticateUserWithLanguage [OBI-SEC-00015] Unable to find user in identity store
When attempting to log into Answers with a weblogic user such as OraclesSystemUser or weblogic (BISystemUser will work because you've specified myOIDDirectory as sufficient and ranked it higher priority on the provider list than your default authenticator).

Step 4:  Change your default authenticator BISystemUser password to match the BISystemUser password in OID

I made this a high level step rather than a sub step to emphasize the importance. If this step is skipped, you will not be able to log into weblogic with any system users.

Navigate to the Weblogic Server Admin Console (:7001/console/) -> Security Realm -> myrealm -> Users and Groups -> Users -> BISystemUser (DefaultAuthenticator)


 *note that if your OID system has more than 1000 users then you will have to click the 'Customize this table' link and search for BISystemUser


Make the BISystemUser password in your default authenticator the same password as BISystemUser in your OID authenticator



  Step 5: Add BISystemUser to the Global Admin Role

Navigate to Security Realm -> myRealms -> Roles and Policies -> Realm Roles -> Global Roles -> Roles -> Admin -> View Role Conditions





then...
then..



and finally add 'BISystemUser' under 'User Argument Name'



At 'Edit Global Roles', your screen should look like:




Step 6: Add BISystemUser to the JMS OBI Module

Navigate to Services -> Messaging -> JMS Modules -> BIpJmsResource -> Security Tab -> Policies Sub Tab and add the BISystemUser in a similar fashion as in step 5





After adding BISystemUser, your 'Settings for BipJmsResource' page should look like:




Step 7: Set the Control Flag in your defaultAuthenticator to 'OPTIONAL'

A control flag of optional indicates that authentication can fail or succeed with the specified provider. If the provider succeeds, it will continue down the authentication list. If tf the provider fails, it will also continue down the authentication list. This is ok because we've specified the DefaultAuthenticator as the last authentication provider on the list.

Navigate to : Security Realm -> myRealms -> Providers -> Authentication -> Default Authenticator -> Configuration -> Common



Step 8: Activate Changes and restart Admin Server & BI Service



Step 9: Validate OID Authentication by logging into Answers:







and finally if you were to look at the bi_server1-diagnostic.log in Fusion Middleware , it would confirm the OID authentication as follows:






Next I will cover OID Authentication in 11g while using external databases to store groups.


keywords: OBIEE 11g security, ldap authentication, weblogic authentication provider, obiee ldap, obiee authentication, alternate authentication providers

1 comment:

  1. OBIEE , OES , OID integration.I created a dashboard/analysis on obiee analytics. I assigned it some permissions such as read access to particular role. I have configured LDAP based security configuration.Now i want to store the permissions in the connected OID. Currently it stores the permissions/ access control list in .atr file in some hex data format.
    I want to configure OES for setting permissions for my dashboard / analysis which will ultimately store the permissions data into OID. Is it possible.
    For that i want to configure permissions access through OES which will ultimately store the access information into OID.
    There is also a tool known as OBI Catalog manager through which we can configure the permissions/ access control list for our dashborad/analysis, but the problem is it stores these access data in .atr file. I want to store these access data into my OID.

    Please correct me if my understanding is incorrect.

    ReplyDelete