12c Upload RPD Fails (Linux, LDAP Authentication)
We're trying to get 12c v12.2.1.2 running in Linux (Red Hat, FWIW). This is an upgrade from 11g 11.1.1.7 in Windows. So, a lot of moving parts.
We have it working, except we are unable to upload a new RPD into the server. I am actually trying to upload a new, completely empty .rpd file created with the 12c Admin tool. Here is the command we are using:
./datamodel.sh uploadrpd -I foobar.rpd -SI ssi -U user123
That returns the error:
uploadRpd Failed: Metadata Lock could NOT be acquired.
Note that user "user123" is a user identified in our enterprise LDAP store, which has been integrated with 12c as our primary authenticator. We can successfully log into the 12c dashboards using our LDAP IDs and passwords so we know that's working. We originally were trying to upload with user "weblogic", but that failed with the error, "An unknown exception occurred: null" which is completely unhelpful thanks Oracle!
And but so, it seems we got a little closer to success when using one of our regular IDs. Diving into the logs, I found this:
javax.ws.rs.WebApplicationException: HTTP 401 Unauthorized
at oracle.bi.restkit.security.auth.RequiredGroupAuthoriser.authorise(RequiredGroupAuthoriser.java:45)
at oracle.bi.lcm.rest.PotentiallySecureLcmEndpoint.authorise(PotentiallySecureLcmEndpoint.java:33)
So this has me thinking that user123 is not authorized to upload the RPD. It is in the BIAdministrators app role, but at this level of operation I really don't think app roles figure into it. My guess is that the user ID used to upload the RPD must somehow be in the default authenticator's Admin group (like "weblogic" is), but there's no way to accomplish that that I can see?
For what it's worth, in the Providers list for security realm "My Realm", we have:
Novell Authenticator (set to sufficient)
Default Authenticator (set to sufficient)
Trust Service Identity Asserter
Default Identity Asserter
Any and all help is appreciated.
Answers
-
Bumping this once, just in case.
We have a sev 2 service request for this problem and it's been 2 weeks with no response. Seems Oracle doesn't know the answer either. I do not get why they removed this functionality from EM and made it a command-line operation. 1997 called, it wants its user interface back.
0 -
anything here of assistance? Oracle BI 12.2.1.2.0 Upload RDP Failed
0 -
a) Command lines aren't "bad" or "outdated". They are a lot better for devops than GUIs.
b) Have you already checked if the migration messed up your application policies?
I've written my own manual migration for a reason. I.e. not getting all that legacy rubbish over from 11g.
0 -
Hi,
You are right, you can't use LDAP users to do the upload RPD. I tried it and it failed with similar error. I had to use "weblogic" or another local admin user I created manually. Try put your DefaultAuthenticator first to see if it makes any differences.
0 -
Let's agree to disagree on the benefits of command-line-based configuration and maintenance of complex systems! As for developers, I've been a developer for 30 years and spent the first half in mainframe, Unix, and Solaris command-line environments. Give me an IDE over vi any day. And if they have a feature already operational in their, ahem, "Enterprise Manager" tool, why take it out? If I had a dollar for everything Oracle did that didn't make sense to me, well, I wouldn't be sitting here writing this post!
Problem was an internal miscommunication about the configuration of our 'weblogic' user. IOW our corporate-required password randomizer didn't communicate the correct password to me (my fault - computers do exactly what you tell them to). Putting the DefaultAuthenticator first in the list allowed it to work for a non-'weblogic' user which I created in the WL LDAP store, but that turned out to be unnecessary.
Note to future readers: the error "An unknown exception occurred: null" means "invalid password". Maybe if Oracle's developers had an IDE they would have done proper error-handling.
0 -
justthefacts wrote:Problem was an internal miscommunication about the configuration of our 'weblogic' user. IOW our corporate-required password randomizer didn't communicate the correct password to me (my fault - computers do exactly what you tell them to). Putting the DefaultAuthenticator first in the list allowed it to work for a non-'weblogic' user which I created in the WL LDAP store, but that turned out to be unnecessary.
Ah the joys of the security realms. Good catch that one gets a lot of people.
0