Friday, January 27, 2012

OBIEE11g Integration with LDAP and configuration




Hi ALL,

               OBIEE 11g can work with many Authentication Providers. OBIEE 11g provides default authentication to connect with Enterprise Manager, Analytics, and Weblogic Server. Some companies struggled with the configuration using other third party providers. I worked with some customers to configure out the OBIEE 11g security with Microsoft Active Directory



Active Directory Configuration With Weblogic.
Create a user in Active Directory , here it is deva

The Below Screen Shot Shows user deva Properties
CN=deva,OU=Accounts,OU=OBIEE,OU=IN,DC=reg1,DC=uat1Hex,DC=Hex,DC=com

Required info from LDAP team:

1) LDAP server Host name and Platform(OS Type)
2) LDAP Server IP
3) LDAP Server Port no
4) User Path structure (Object )
ex.: like UAT1Hex path structure (Path : Functional user ID)
GROUP:
CN=Hex_BIUser,OU=Groups,OU=Accounts,OU=OBIEE,OU=IN,DC=reg1,DC=uat1Hex,DC=Hex,DC=com
IN/OBIEE/accounts/Hex_1Bank
SG= OU folder
sub folder
OBIEE
sub folder
Accounts
5) Group Path Structure (Object)
like e.x: (Path : Functional usergroup)
reg1.uat1Hex.Hex.com/IN/OBIEE/Accounts/Groups/Hex_BIUser.
6) Access required for our functional ID: deva
--------------------------------------------------------------------------
1) ldifd.tex files ---> permission required for our functional ID(deva)
2) Windows Active Directory access required for our functional ID(deva)
3) Access requred for functional id user (deva) to properties of the user in AD


Oracle BI EE version 11.1.1.5.0 and Microsoft Active Directory 2008 (Windows Server 2008 R2 version 64 bit type). 

 Configuring Active Directory Authenticator in Weblogic
















Now click finish and then go to the default Authenticator’s setting and select sufficient

 Control Flag as sufficient.


 Reorder the MSAD as first,

 like below,
 finaly the order
Save the settings and go to the Provder specific TAB.
Enter Host, and port will be the default port and principal as






 Example of LDAP Configuration for Provider Specific:
---------------------------------------------------------------------------
Host:
10.10.10.10
Port
3268
Principal
CN=deva,OU=FNDEPT,OU=MAIL,OU=SW2,OU=NDS,DC=reg1,DC=Hex,DC=Tech,DC=com
Credential:
ldap deva functional id password
confirm Credential:
ldap deva functional id password
User Base DN:
DC=Hex,DC=Tech,DC=com
All Users Filter:
(&(memberof=CN=01UREG1GPCOBIEE,OU=GPCOBIEE,OU=APPS,DC=reg1,DC=Hex,DC=Tech,DC=com)(sAMAccountName=*)(objectclass=user))
User From Name Filter:
(&(memberof=CN=01UREG1GPCOBIEE,OU=GPCOBIEE,OU=APPS,DC=reg1,DC=Hex,DC=Tech,DC=com)(sAMAccountName=%u)(objectclass=user))
User Name Attribute:
sAMAccountName
User Object Class:
user
group base DN
OU=GPCOBIEE,OU=APPS,DC=reg1,DC=Hex,DC=Tech,DC=com
All group filters
(&(sAMAccountName=*)(objectclass=group))
Group From Name Filter:
(&(sAMAccountName=%g)(objectclass=group))
GUID Attribute:
objectguid



 after finishing above steps save it and restart all your BI Services then login weblogic console then
check it whether the MSAD is integrated or not yet.. below screen u can find Provider type as MSAD and Defaultauthenditactor like that.

Now to security realm->roles and policies->roles
Go to the global roles in that Admin role and view the conditions.
As shown in the below screenshot
Go to the below weblogic console then set global admin role to the AD user (deva)

 Select View Role Conditions and the below screen will appear


 select user then add it our AD user (deva)

Now add the condition.
Select User and click next and then In the user Argument Description type the ad username and then click add






Restart weblogic server.............
Now login to the admin console and go to the users and group “deva” is displayed in the below screen
 After you login you can see that now we have successfully logged in as AD user




In the Edit Application Role screen, scroll down to the Users section and click on the button marked “Add User”.
An Add User dialog will appear. Either type your system user username into the User Name box or for a full list of users, leave it blank.

screen and select the “Configure…” button to bring up the Identity Store Configuration screen. Click on the green + icon to add the new properties to the Identity Store and as stated above, two new properties need to be added, user.login.attr and username.attr, both set to the value of the alternate user name attribute.

                          add the AD group or AD users into the Application role



   

To regenerate user GUIDs:

1.     Update the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS parameter in NQSConfig.INI:
a.      Open NQSConfig.INI for editing at:
b.               ORACLE_INSTANCE/config/OracleBIServerComponent/coreapplication_obisn
c.      Locate the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS parameter and set it to YES, as follows:
d.               FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = YES;
e.      Save and close the file.
2.     Update the Catalog element in instanceconfig.xml:
a.      Open instanceconfig.xml for editing at:
b.               ORACLE_INSTANCE/config/OracleBIPresentationServicesComponent/
c.               coreapplication_obipsn
d.     Locate the Catalog element and update it as follows:
e.               <Catalog>
f.               <UpgradeAndExit>false</UpgradeAndExit>
g.               <UpdateAccountGUIDs>UpdateAndExit</UpdateAccountGUIDs>
h.               </Catalog>
i.        Save and close the file.
3.     Restart the Oracle Business Intelligence system components using opmnctl:
4.         cd ORACLE_HOME/admin/instancen/bin
5.         ./opmnctl stopall
6.         ./opmnctl startall
7.     Set the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS parameter in NQSConfig.INI back to NO.
Important: You must perform this step to ensure that your system is secure.
8.     Update the Catalog element in instanceconfig.xml to remove the UpdateAccount GUIDs entry.
9.     Restart the Oracle Business Intelligence system components again using opmnctl:
10.    cd ORACLE_HOME/admin/instancen/bin
11.    ./opmnctl stopall
12.    ./opmnctl startall


            Once you’ve restarted Weblogic, check that you can still log into the Weblogic Administrative Console as the Weblogic admin user you specified during install.
Next check you can log in to Oracle BI using the credentials of one of the Active Directory users.

 References:

http://bimetrics.wordpress.com/2011/08/12/integrating-ms-active-directory-with-obiee-11g-in-weblogic-server/
http://obieeblog.wordpress.com/2009/02/03/obiee-security-enforcement-%E2%80%93-ldap-authentication/
http://oraclebizint.wordpress.com/2007/10/10/oracle-bi-ee-101332-using-ldapoid-authentication/
http://obiee-blog.info/security/ldap-authentication-against-multiple-servers/
http://download.oracle.com/docs/cd/E21764_01/bi.1111/e10543/privileges.htm#BABCDCFE
http://download.oracle.com/docs/cd/E21764_01/bi.1111/e10543/legacy.htm#CHDCEFBC
fyi..https://forums.oracle.com/forums/thread.jspa?threadID=2251295
Steps to configure OBIEE 11g LDAP SSL Authentication by configuring the Authentication Provider in Weblogichttps://support.oracle.com/CSP/main/article?cmd=show&type=NOT&doctype=BULLETIN&id=1326641.1

Thanks

Deva
Posted by at 39 comments:

Saturday, January 14, 2012

Strange Security Issues in Obiee11g

Strange Security Issues in Obiee11g

FYI, in obiee11g(11.1.1.5.0) version we have faced Application role name issue (It should be only character) if your keeping like below then the application role is not working properly as we expect permission setup.

So Please don’t keep the role like 01_Manager,02_Stusent,-,#,numbers etc.

Thanks

Deva
Posted by at 2 comments:
Subscribe to: Posts (Atom)