This discussion is archived
1 2 Previous Next 20 Replies Latest reply: Apr 9, 2013 9:39 AM by Filip Huysmans RSS

OVD: necessary attributes

Filip Huysmans Newbie
Currently Being Moderated
Hello everyone,

OBIEE 11.1.1.6.0
WLS: 10.3.5
OVD: 11.1.1.6.0

We are trying to setup an Oracle Access Manager as an SSO solution for OBIEE and custom Java applications.
We are using Oracle Virtual Directory to give us an ldap-interface on the custom user management system of the client.
We build a small ADF application that is testing our security setup. We deployed it on the OBIEE server and we successfully login through OAM and OVD, and see the application with the correct security context.
We now assume that the OVD and OAM settings are correct.

Next step is to integrate the OBIEE analytics application. We followed the documentation and besides setting the OVDAuthenticator and the OAMIdentityAsserter, we also activated the SSO in the FMW console for the entire domain. After rebooting all systems, we can only login with users from the local WLS ldap, but not from the OVDAuthenticator, while this is possible with the simple ADF app.
We are not yet using the OAM to login, just the plain simple OBIEE login screen.

This brings me to believe that there are some crucial attributes to be made available through OVD for OBIEE analytics.

Does anyone know which attributes are needed for OBIEE analytics?

Thank you in advance.

Filip Huysmans.
A non OBIEE expert.
  • 1. Re: OVD: necessary attributes
    SunilSharma Expert
    Currently Being Moderated
    [http://idmconcepts.blogspot.com/2010/10/configuring-ovd-as-user-identity-store.html] See the link for more info

    Please let me know if that helps
  • 2. Re: OVD: necessary attributes
    Filip Huysmans Newbie
    Currently Being Moderated
    Hello,

    thank you for your response.
    I've had read the blog already. But this part is already working.
    It is the requirements needed for BIEE that is of importance.

    If you have/find a blog in the context of OBIEE, I'm more then happy to read it.

    Thank you again for your response.

    Filip
  • 3. Re: OVD: necessary attributes
    SunilSharma Expert
    Currently Being Moderated
    Follow this link for OBIEE http://www.askjohnobiee.com/2012/08/how-to-oracle-internet-directory.html

    Let me know if that helps
  • 4. Re: OVD: necessary attributes
    Filip Huysmans Newbie
    Currently Being Moderated
    Hi RM,

    thank you for the link, but ...
    I find a lot of examples of OID integrations, but nowhere they say what the attributes are that you need to add to user account.
    I believe my problem is the fact that I'm missing some of these attributes. I just need to know which one.
    Probably with OID these attributes are prefilled or filled correctly.

    Thank you in advance.

    Filip
  • 5. Re: OVD: necessary attributes
    SunilSharma Expert
    Currently Being Moderated
    On Provider Specific tab, set these fields and leave others at default

    Host: IP <or OVD host>

    Port: 389 <or OVD port>

    Principal: cn=svcOBIEE,ou=Service Accounts,dc=<server>,dc=net

    Credential: <password from OVD for service account used as principal>

    User Base DN: dc=<server>,dc=net

    All Users Filter: (&(emplid=*)(objectclass=person))

    User From Name Filter: (&(emplid=%u)(objectclass=person))

    User Name Attribute: emplid

    Group Base DN: ou=<env> groups,ou=app groups,dc=<server>,dc=net

    All Groups Filter: (&(cn=*)(objectclass=groupofUniqueNames))

    Group From Name Filter: (&(cn=%g)(objectclass=groupofUniqueNames))

    GUID Attribute: uid or Cn

    Press Save

    From Providers tab, click on DefaultAuthenticator and on common tab, change

    Control Flag: Sufficient

    From Providers tab, press Reorder and move OVD provider to top.

    Activate changes and restart Admin server.

    You will be filling the above filters and rest of them are default

    Let me know if it helps

    mark it as helpful or correct which ever make sense to you.

    Thanks,
    RM
  • 6. Re: OVD: necessary attributes
    Filip Huysmans Newbie
    Currently Being Moderated
    Hi RM,

    these settings are not the problem, since I see the users and their groups,
    but the problem lies "probably" in the attributes we set for the user identity in the OVD configuration.
    So things like cn, givenName, memberOf, ... I'm in the search of the list of these kind of attributes.

    Thank you in advance.

    Filip Huysmans.
  • 7. Re: OVD: necessary attributes
    Turbokat Pro
    Currently Being Moderated
    Hello Filip,

    Which provider does your trusted BISystem belong to .? Default or did you create a new BISystemUser account in your custom user management system of the client to match the account for DefaultAuthenticator one .?

    I assume you have enable virtualize = true property in Identity Provider configuration settings.

    Also did you refer to : http://docs.oracle.com/cd/E21043_01/bi.1111/e10543.pdf#G7.1003808653 whilst configuring your custom properties for username.attr and user.attr .?

    Please let us know.

    Thanks,
    SVS
  • 8. Re: OVD: necessary attributes
    Filip Huysmans Newbie
    Currently Being Moderated
    Hi SSVS,

    thanks a lot for these useful tips. I implemented the virtualize and the 2 extra attributes for username and user.
    After rebooting, I still see the same result.
    Oracle Support has adviced me to install the bidiagnostic tool. I'm looking into that for the moment.

    Again thanks a lot.

    KYP.

    Filip Huysmans.
  • 9. Re: OVD: necessary attributes
    Turbokat Pro
    Currently Being Moderated
    Thanks for the update Filip, Also did you create user called BISystem user in your users store which in you custom user management system .?

    Please refer to the guide for more instructions , this is one of the prerequisites is the have an existing user or a user named BISystemUser which will have to replace the default weblogic authenticator BISystemUser. Once done you need to make this new trusted BISystemUser as a member of BISystem Role from EM Application roles and reset the BISystemUser password in couple of places per the guide.

    If you still have issues, then I would suggest you enabling the atz and atn logging for authentication and authorization in weblogic. bi_server1 -> Debug -> WebLogic -> Security -> atn (for Authentication) and atz (for Authorization) and click Enable.

    Now you bi_server1 log file will show you the infor on who its going about to authentication and post errors there.

    Hope this helps.

    Thanks,
    SVS
  • 10. Re: OVD: necessary attributes
    Filip Huysmans Newbie
    Currently Being Moderated
    Hi SSVS ,

    at first we thought that I didn't needed to do the creation of the extra BiSystemUser, since we kept the defaultAuthenticator in place.
    So I performed the steps necessary. I didn't remove the existing BISystemUser, should I've done that?
    Then I started with the refresh of the user GUID's. Once I changed the 2 conf files, the ./opmnctl startproc ias-component=coreapplication_obis1
    doesn't start anymore.
    Error:
    [2013-03-22T15:21:27.000+00:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: ] [tid: 5cf3720] [nQSError: 43146] FMW_UPDATE_ROLE_AND_USER_REF_GUIDS inside NQSConfig.INI is set to Yes but the server failed to connect to BI Security Service.
    [2013-03-22T15:21:27.000+00:00] [OracleBIServerComponent] [NOTIFICATION:1] [] [] [ecid: ] [tid: 5cf3720] Server start up failed: [nQSError: 43146] FMW_UPDATE_ROLE_AND_USER_REF_GUIDS inside NQSConfig.INI is set to Yes but the server failed to connect to BI Security Service.

    Any idea what is wrong here?

    Thank you in advance.
  • 11. Re: OVD: necessary attributes
    SunilSharma Expert
    Currently Being Moderated
    Filip Huysmans wrote:
    Hi SSVS ,

    at first we thought that I didn't needed to do the creation of the extra BiSystemUser, since we kept the defaultAuthenticator in place.
    So I performed the steps necessary. I didn't remove the existing BISystemUser, should I've done that?
    Then I started with the refresh of the user GUID's. Once I changed the 2 conf files, the ./opmnctl startproc ias-component=coreapplication_obis1
    doesn't start anymore.
    Error:
    [2013-03-22T15:21:27.000+00:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: ] [tid: 5cf3720] [nQSError: 43146] FMW_UPDATE_ROLE_AND_USER_REF_GUIDS inside NQSConfig.INI is set to Yes but the server failed to connect to BI Security Service.
    [2013-03-22T15:21:27.000+00:00] [OracleBIServerComponent] [NOTIFICATION:1] [] [] [ecid: ] [tid: 5cf3720] Server start up failed: [nQSError: 43146] FMW_UPDATE_ROLE_AND_USER_REF_GUIDS inside NQSConfig.INI is set to Yes but the server failed to connect to BI Security Service.

    Any idea what is wrong here?

    Thank you in advance.
    You need to change the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS to No instead of yes and then restart the application using opmnctl or through EM
  • 12. Re: OVD: necessary attributes
    Turbokat Pro
    Currently Being Moderated
    Hello Filip,

    When you are trying to use OVD and LDAP a user called BISystemUser need to be created in you custom user management and be assigned to the Administrators group in OVD if there is one. Yes you need to remove the existing BISystem user and create a new one ( I strongly recommend taking a back up of all the realms before doing this follow : http://twobiee.blogspot.com/2012/06/obiee-migrating-users-and-security.html)

    Then BISystemUser need to be a memeber of BISystem Application Role under Fusion Middleware Control.

    The refresh GUID's behavior you have mentioned about not getting the Presentation services up is expected and once you have changed the tags back to default and restart it should start up now.

    Do these per the guide instructions ( http://docs.oracle.com/cd/E21043_01/bi.1111/e10543.pdf#G7.1003808653 ) and let us know if you still have issues.

    Hope this helps.

    Thanks,
    SVS
  • 13. Re: OVD: necessary attributes
    Filip Huysmans Newbie
    Currently Being Moderated
    Hi RM,

    I was under the impression that I needed to put it to YES and restart the services.
    Then put it back to NO and restart the services. When setting it to NO, everything works fine, but then the recalculation of the GUIDs doesn't take place.

    Here is the doc:
    To refresh user GUIDs, perform the following steps on APPHOST1 and APPHOST2. Note that GUID refresh must occur with only one node operating at a time.
    
        Stop Oracle BI Server and Presentation Services on all nodes except where you are refreshing the user GUIDs. For example:
    
        cd ORACLE_HOME/admin/instancen/bin
        ./opmnctl stopproc ias-component=coreapplication_obips1./opmnctl stopproc ias-component=coreapplicaiton_obis1
    
        Update the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS parameter in NQSConfig.INI:
    
            Open NQSConfig.INI for editing at:
    
            ORACLE_INSTANCE/config/OracleBIServerComponent/coreapplication_obisn
    
            Locate the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS parameter and set it to YES, as follows:
    
            FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = YES;
    
            Save and close the file.
    
        Update the Catalog element in instanceconfig.xml:
    
            Open instanceconfig.xml for editing at:
    
            ORACLE_INSTANCE/config/OracleBIPresentationServicesComponent/
            coreapplication_obipsn
    
            Locate the Catalog element and update it as follows:
    
            <Catalog>
            <UpgradeAndExit>false</UpgradeAndExit>
            <UpdateAccountGUIDs>UpdateAndExit</UpdateAccountGUIDs>
            </Catalog>
    
            Save and close the file.
    
        Restart the Oracle BI Server and Presentation Services using opmnctl:
    
        cd ORACLE_HOME/admin/instancen/bin
        ./opmnctl stopproc ias-component=coreapplication_obips1
        ./opmnctl stopproc ias-component=coreapplicaiton_obis1
        ./opmnctl startproc ias-component=coreapplicaiton_obis1
    
        After you confirm that the Oracle BI Server is running, then start Presentation Services:
    
        ./opmnctl startproc ias-component=coreapplicaiton_obips1
    
        Set the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS parameter in NQSConfig.INI back to NO.
    
        Important: You must perform this step to ensure that your system is secure.
    
        Update the Catalog element in instanceconfig.xml to remove the UpdateAccount GUIDs entry.
    
        Restart the Oracle Business Intelligence system components again using opmnctl:
    
        cd ORACLE_HOME/admin/instancen/bin
        ./opmnctl stopall
        ./opmnctl startall
    Thank you very much for your reply.

    Filip

    Edited by: Filip Huysmans on Mar 22, 2013 9:24 AM
  • 14. Re: OVD: necessary attributes
    SunilSharma Expert
    Currently Being Moderated
    after changing the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = YES; in NQSConfig.INI and
    <Catalog>
    <UpgradeAndExit>false</UpgradeAndExit>
    <UpdateAccountGUIDs>UpdateAndExit</UpdateAccountGUIDs>
    </Catalog>

    in instanceconfig.xml try to restart all services using EM or through commandline(./opmnctl stopall and startall) once its up then revert back the changes and then do a complete restart using command line ./opmnctl stopall and startall
1 2 Previous Next

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points