Oracle Business Intelligence

Products Banner

Deleted all default roles and groups within Enterprise Manager Console

Received Response
151
Views
20
Comments

Hi guys,

I have deleted all Oracle predefined roles and groups within Enterprise Manager Console this morning without knowing, what impact this issue will have.

I did it because I also created some own roles and groups manually and I also assigned our weblogic user to them. Within the Oracle BI webplatform my adjustments seemed to work but now I have the major problem, that the weblogic user does not have the propper rights to access the Enterprise Manager Console and the BI Administration Tool anymore.

I have already contacted the oracle support via SR: SR 3-14963522241 : Deleted default groups and roles (https://support.oracle.com/epmos/faces/SrDetail?_adf.ctrl-state=kh2rr90vv_9&srDetailRelativeDateParam=null&queryModeName… )

I have also checked the OTN and the web for any help on this problem and I found some threads within the OTN which are similar but not really helpful for my case.

The Oracle version of OBI EE is: 12.2.1.0.0

I sadly also do not have any backup of the "jps-config.xml"-file. The only thing we did in the past to upgrade from Oracle BI 12.1.0.0.0 to 12.2.1.0.0

Do you guys see any chance to restore the default roles and groups within Oracle Enterprise Manager Console using Linux Shell?

Thx in advance

Carsten

Answers

  • 1715906 wrote:Hi guys,I have deleted all Oracle predefined roles and groups within Enterprise Manager Console this morning without knowing, what impact this issue will have.

    Hi Carsten,

    If your custom roles are supposed to inherit from standard roles...they won't anymore.

    Any application policy and granted permission set to those standard roles (any be extension their inheritants)...won't work anymore.

    So it really depends if you actually need the vanilla stuff or not.

  • Carsten Weber
    Carsten Weber ✭✭✭✭

    Does anyone know where the assigned rules and groups - which are used in Oracle Enterprise Manager Console - are stored on the file system?

    My thought was that I could simply replace this file with a file of a clean installation. Can maybe someone provide me such file since I only want to retrieve the default groups and roles?

  • Well you can import a vanilla BAR file and only import security while not importing RPD+webcat but that will wipe out your config:

    https://docs.oracle.com/middleware/12211/biee/BIESG/GUID-D74741C6-D069-4ABF-A574-C9A57A7FE6D0.htm#BIESG9320

  • Syedsalmancs110
    Syedsalmancs110 ✭✭✭✭✭

    Hi Carsten,

    Don't think OBIEE 12c Application Roles and Groups assignment are File based like OBIEE 11g , from OBIEE 12c OPSS(Oracle Platform Security Services) are database based and it is still unknown(at least to me) where application role and group assignment are stored in OBIEE 12c onward.

    Could you please confirm if you deleted Administrators group from Weblogic Console(http://machinename:port/console) too??

    Because "Administrators" group is the one which when assigned to user give Admin Privilege to access Admin Console and Enterprise Manager(http://machinename:port/em) as this group is assigned to Global Privileges within Roles in Admin Console.

    Addition: Do you have any user which is still part of Administrator group you can try login with that user , if you have one.

    Better work with Oracle Weblogic Support to try and recover the same,but as far I think its going to be bit difficult task.

    Thanks and Regards,

    Syed Hamd Salman

  • Syedsalmancs110
    Syedsalmancs110 ✭✭✭✭✭

    Well I think Vanilla BAR file would not give him access back to Admin Console and Enterprise Manager, will it?

    Isn't it just going to get him back Default Application Roles along with SampleAppLite RPD and Catalog.

  • Syed Hamd Salman wrote:...from OBIEE 12c OPSS(Oracle Platform Security Services) are database based and it is still unknown(at least to me) where application role and group assignment are stored in OBIEE 12c onward

    There are a bunch of tables in one of the schemas created by the RCU, but it's isn't a simple relational model where you easily find who is part of which group etc.

    All these things are stored into a LDAP (the Weblogic embedded LDAP) which is stored in the database, so the format is more than weird and by hand it isn't really manageable directly at the DB level (better to stay away).

  • sigh

    Ok what do you expect? That I tell him which OPSS.CT_xyz table to hack? No. Definitely no. You're not supposed to touch these tables. EVER.

  • Carsten,

    Can you access either Weblogic enterprise manager  . (normally <host>:<port>/em)?

    or Weblogic Server Administration Console  (Normally <host>:port/console) ?

  • Carsten Weber
    Carsten Weber ✭✭✭✭

    I do not have access to enterprise manager and also not to weblogic server administration console using the weblogic admin user.

    I just found out that there still exists one default Oracle role called "Admin". Unfortunately this role is not linked to any using within our system.

    Do you think it is worth it to use one of our database backups which contains our repository?

  • Syedsalmancs110
    Syedsalmancs110 ✭✭✭✭✭

    Hi Carsten,

    Could you try below steps and see if it helps you to gain back access to Admin Console and Enterprise Manager.

    a) Stop your OBIEE Stack i.e. Admin Server, Managed Server and BIEE Services by running below command from following location <DOMAIN _HOME>\bitools\bin

    ./stop.sh (FOR UNIX)

    stop.cmd (FOR WINDOWS)

    b) On your OBIEE Server at following location <DOMAIN _HOME>\servers\AdminServer rename your "data" folder to "data_backup"


    Don't worry this folder(data) would be recreated during Admin Server startup.

    c) Now just bring back UP your Admin Server by running below command from following location <DOMAIN _HOME>\bitools\bin

    ./start.sh -i AdminServer (FOR UNIX)

    start.cmd -i AdminServer (FOR WINDOWS)

    Now what I am hoping from above step is this will overwrite your Embedded LDAP security and Weblogic user would be assigned back to Administrator Group giving back you access to Weblogic Console and Enterprise Manager and if steps are successful and you get back the access to Console and EM then you can import 12C default BAR file to get back your default Application Roles too as suggested by Christian Berg in previous post, but that could only done once you have have your admin user back, right now you have your Admin User(weblogic) but it is not part of Administrator group hence will not be able to run WLST commands I guess.

    But be aware that these steps if successful will not recover your newly created Users and Groups which doesn't come by default with OBIEE 12c.

    Thanks and Regards,

    Syed Hamd Salman

  • Carsten Weber
    Carsten Weber ✭✭✭✭

    I have tried using ./stop.sh and it shows the following output:

    Stopping domain; Using domainHome: /opt/oracle/base/product/fmw/user_projects/domains/bi ...

    Initializing WebLogic Scripting Tool (WLST) ...

    Welcome to WebLogic Server Administration Scripting Shell

    Type help() for help on available commands

    <May 24, 2017 10:49:40 AM CEST> <Info> <Security> <BEA-090905> <Disabling the CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true.>

    <May 24, 2017 10:49:40 AM CEST> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG128 to HMACDRBG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true.>

    <May 24, 2017 10:49:40 AM CEST> <Info> <Security> <BEA-090909> <Using the configured custom SSL Hostname Verifier implementation: weblogic.security.utils.SSLWLSHostnameVerifier$NullHostnameVerifier.>

    Failed to connect to node manager.  Assuming no domain processes running.

    Can you tell me where to find the start-script for Node Manager?

  • Syedsalmancs110
    Syedsalmancs110 ✭✭✭✭✭

    In 12c Node Manager Script would be at following location <DOMAIN_HOME>\bin

    Don't you think you are getting this message may be because your Application(Node Manager, Admin Server, Managed Server and BIEE Services) are already down?

  • Carsten Weber
    Carsten Weber ✭✭✭✭

    Yeah I have just checked. When performing a "bi_Status" it tells me Note Manager is not running.

    Unfortunately it also seems that I can't restart it using shell.

  • Syedsalmancs110
    Syedsalmancs110 ✭✭✭✭✭

    Are you saying that your Node Manager isn't starting using startNodemanager.sh script?

    If your BI servers and services are already down then no need to start them up individually just follow rest of the steps, step(c) will take care of Node Manager startup:

    b) On your OBIEE Server at following location <DOMAIN _HOME>\servers\AdminServer rename your "data" folder to "data_backup"

        Don't worry this folder(data) would be recreated during Admin Server startup.

    c) Now just bring back UP your Admin Server by running below command from following location <DOMAIN _HOME>\bitools\bin

    ./start.sh -i AdminServer (FOR UNIX)

    start.cmd -i AdminServer (FOR WINDOWS)

  • Carsten Weber
    Carsten Weber ✭✭✭✭

    Ok I have tried your suggestion but it has not worked.

    1. New data directory was created

    2. It shows me an error message:

    Starting AdminServer ...

    Unable to connect to AdminServer on host: Domain

    Failed to start one or more Servers

    /Servers/AdminServer/ListenPort=9500

    Accessing admin server using URL t3://Domain:9500

    Start Admin Server connect Exception caught Error occurred while performing connect : Error getting the initial context. There is no server running at t3://modi.gwi-net.com:9500 : Failed to initialize JNDI context, tried 1 time or times totally, the interval of each time is 0ms.

    t3://Domain:9500: Destination 10.128.74.30, 9500 unreachable.; nested exception is:

            java.net.ConnectException: Connection refused; No available router to destination.; nested exception is:

            java.rmi.ConnectException: No available router to destination.

    Use dumpStack() to view the full stacktrace :

    Reading domain...

    Error: runCmd() failed. Do dumpStack() to see details.

    Failed to get Status of Servers and System Components

  • @1715906 yeah that can't really have worked. you're in quite of a bind there and unfortunately your environment is pretty much kaputt unless you have database backups from before the deletion.

  • Carsten Weber
    Carsten Weber ✭✭✭✭

    Actually I just got the AdminServer running again:

    Starting specific servers ...

    Finished starting servers

    Status of Domain: /opt/oracle/base/product/fmw/user_projects/domains/bi

    NodeManager (modi.gwi-net.com:9506): RUNNING

    Name            Type            Machine                   Status

    ----            ----            -------                   ------

    AdminServer     Server          modi.gwi-net.com          RUNNING

    bi_server1      Server          modi.gwi-net.com          FAILED_NOT_RESTARTABLE

    obips1          OBIPS           modi.gwi-net.com          SHUTDOWN

    obijh1          OBIJH           modi.gwi-net.com          SHUTDOWN

    obiccs1         OBICCS          modi.gwi-net.com          SHUTDOWN

    obisch1         OBISCH          modi.gwi-net.com          SHUTDOWN

    obis1           OBIS            modi.gwi-net.com          SHUTDOWN

    ohs_bi          OHS             modi.gwi-net.com          SHUTDOWN

    I just copied the files which where contained in an old EmbeddedLDAPBackup.zip-file to the directory: /AdminServer/data/ldap/ldapfiles

    This did not bring up any error when I ran the "./start.sh -i AdminServer" command.

  • Carsten Weber
    Carsten Weber ✭✭✭✭

    The question is, how does this new state help me since I can't connect to Enterprise Manager using web url?

  • Can you connect to the server through wlst on t3?

  • Carsten Weber
    Carsten Weber ✭✭✭✭

    Ok I got it working again. I just restarted all services and it was successful. The login to Enterprise Manager also works.

    Thanks everyone for your help!