Escolar Documentos
Profissional Documentos
Cultura Documentos
@aheljula
Agenda
Aim of Presentation 10g Security Model 11g Security Model What is Supported Identity Providers Groups GUIDs SSL Single Sign On (SSO) Important Files Migration Closing Thoughts
Aim of Presentation
To explain the key concepts behind the Oracle BI 11g security model Clarify what is and what is not supported Demonstrate that it can achieve great results Explain why 11g security model is better than 10g you dont need the 10g security model any more! Discuss some advanced topics such as SSO, SSL and migration It is getting better..we can look forward to a brighter future!
BI Presentation Services
Catalog Groups
Catalog Groups apply responsibilities for BI Presentation Services. Can be inherited from other Catalog Groups and also other BI Server Groups Groups apply responsibilities for BI Server
BI Server
Groups
BI Presentation Services
Catalog Groups
Corporate LDAP
GROUPS Sales Manager
BI Server
Groups
USERS ASMITH
BI Presentation Services
Catalog Groups
Corporate LDAP
GROUPS Sales Manager
BI Server
Groups
USERS ASMITH
BI Presentation Services
Catalog Groups
Corporate LDAP
GROUPS Sales Manager Answers Access Delivers Access
BI Server
Groups
USERS ASMITH
BI Presentation Services
Catalog Groups
Corporate LDAP
GROUPS Sales Manager Answers Access Delivers Access
BI Server
Groups
USERS ASMITH
BI Presentation Services
Catalog Groups
BI Server
Groups
USERS ASMITH
10
12
BI Presentation Services
Corporate LDAP
GROUPS Sales Manager
BI Server
USERS ASMITH
13
BI Presentation Services
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
Corporate LDAP
GROUPS Sales Manager
BI Server
USERS ASMITH
14
BI Presentation Services
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
Corporate LDAP
GROUPS Sales Manager
BI Server
USERS ASMITH
15
BI Presentation Services
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
Corporate LDAP
GROUPS Sales Manager
BI Server
USERS ASMITH
16
BI Presentation Services
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
Corporate LDAP
GROUPS Sales Manager
BI Server
USERS ASMITH
17
BI Presentation Services
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
Corporate LDAP
GROUPS Sales Manager
BI Server
USERS ASMITH
18
2) 3) 4) 5)
Greater control for the OBI Administrator Corporate LDAP less complex Simpler architecture More flexibility Greater consistency between OBIPS and OBIS
BI Presentation Services
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
Corporate LDAP
GROUPS Sales Manager
BI Server
USERS ASMITH
19
2 4
Catalog & Manage Privileges
FMW Control
Weblogic Console
BI Presentation Services
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
Corporate LDAP
GROUPS Sales Manager
3
RPD
BI Server
USERS ASMITH
20
21
22
Within the RPD you can apply security rules to Application Roles:
Access to Subject Area contents Access to Connection Pools Apply Data Filters Apply Query Limits
23
Within the Presentation Layer you can use Application Roles for:
Managing privileges Object access permissions within the Catalog
24
25
When you install Oracle BI 11g, you get the following mapping between Users Groups Roles:
USERS
BISystem Component
GROUPS
BIAdministrators
ROLES
BIAdministrator
member of
BIAuthors
BIAuthor
member of
BIConsumers
BIConsumer
26
Each of the default Application Roles is allocated one or more Application Policies. These Application Policies provide access to certain Resources within Oracle BI
The BIAdministator role can: Manage Repositories Manage Jobs Manage the Presentation Catalog Administer BI Server
28
The policies for the BIAdministrator role provide access to the Administration screen The policies for the BIAuthor role provide access to the entire New menu to create new reporting objects NOTE:
Confusion still remains as to why these types of privilege are not on the Manage Privileges screen along with everything else
29
- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
30
- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
31
What Roles and Policies Should I Have? Default Roles and Policies
First of all, use the new default Application Roles to distinguish between your 3 main types of user:
Administrators Report Developers Everyone Else
By default, all authenticated users will get BI Consumer Role, so you only need to manage the allocation of BI Auther/Administrator Roles There is typically no need to alter the Application Policies that are assigned to each role
The default policies provide a convenient way to restrict access to core Oracle BI system resources
32
You can then have your own custom Application Roles to manage access and privileges at a more granular level For example:
Sales Manager Role HR Manager Role BI Answers Role BI Delivers Role
Access to the Sales Manager Dashboard Access to the HR Manager Dashboards Access to Answers Access to Delivers
33
BI Presentation Services
APPLICATION ROLES
BIAdministrator BIAuthor BIConsumer Sales Manager Answers Access Delivers Access
LDAP
GROUPS BIAdministrator BIAuthor BIConsumer Sales Manager
BI Server
USERS ASMITH
34
- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
35
The Embedded WebLogic LDAP is relatively basic compared to the more enterprise LDAP solutions e.g. OID, AD Oracle advise no more than 1,000 users
36
BI Presentation Services
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
BI Server
37
- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
38
Yes. It is possible to add multiple other Identity Providers within WebLogic console By default, there are two embedded WebLogic providers:
DefaultAuthenticator (Embedded Weblogic LDAP) DefaultIdentityAsserter
39
Users and Groups in LDAP Users and Groups in Database Users in LDAP and Groups in Database
Weblogic LDAP Active Direcitory iPlanet Oracle Internet Directory (OID) Oracle Virtual Directory (OVD) Novell (eDirectory 8.8) OpenLDAP SQL Tivoli Directory Server 6.2 SQL Group Lookup
Adding new Identity Providers is straight forward via the New button
You can reorder the list of providers so that authentication is performed in a different order e.g.
OID Weblogic LDAP
41
BI Presentation Services
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
Weblogic
BI Server
EBS
43
The 11g security model now supports this type of arrangement A new provider BISQLGroupProvider is available to obtain Groups from a database:
Available in 11.1.1.6 (with some configuration) Available in 11.1.1.5 (patch 11667221)
TechNote_LDAP_Auth_DB_Groups_V3.pdf
44
When you have multiple Identity Providers you should set the virtualize = true custom property within FMW Control:
NOTE:
If you can get the setting to work, try restarting Managed Server and OPMN processes via FMW Control rather than the command line
45
BI Presentation Services
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
WebLogic LDAP
BI Server
46
BI Presentation Services
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
WebLogic LDAP
BI Server
BI Presentation Services
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
WebLogic LDAP
BISystemUser
BI Server
48
- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
49
When you have multiple identity providers, the Groups for each users will be obtained from the same provider that they authenticated against For example:
Corporate End Users will obtain their Groups from OracleInternetDirectory, as this is where they are authenticated
50
A BI SQL Group Lookup identity provider is always assigned to a single LDAP provider
The Groups will only come from the BI SQL Group Lookup provider Any Groups in the LDAP store are ignored
In this example, any user authenticating using OracleInternetDirectory will obtain their Groups from the BISQLGroupProvider. Any Groups assigned to the user in OID will be ignored.
51
If you are using the WebLogic LDAP as an authenticator then you will need to maintain your Groups in this store But Groups from other identity providers (e.g. OID) will be automatically integrated (as shown below), you dont need to create them manually
52
Your internal and external Groups are immediately available to be assigned to Application Roles:
The BIAuthor Role will be assigned to users belonging to the corresponding BIAuthor groups in both Weblogic LDAP and OID
Peak Indicators Limited 53
- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
54
In Oracle BI 11g, users are recognized by their Global Unique Identifiers (GUIDs), not by their names GUIDs are identifiers that are completely unique for a given user Using GUIDs to identify users provides a higher level of security because it ensures that data and metadata is uniquely secured for a specific user, independent of the user name
55
BI Server
56
BI Server
57
BI Server
ASMITH
58
BI Server
ASMITH
59
BI Server
ASMITH (5678)
60
61
The GUID feature is there to help secure your OBI environments especially production There may however be times when GUIDs become out of sync in and you cannot log in as certain users:
Migrating from WebLogic Embedded LDAP to an alternative identity provider Deleting users and then recreating them Migrating Production Presentation Catalog / RPD to the Development environment
Delete the offending users from the Presentation Catalog and log in again Refresh GUIDs (explained overleaf)
62
or
63
64
65
To ensure your system is secure once again you must revert the configuration changes!
: : :
66
- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - What Happens During An Upgrade? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
69
It is now possible to use an Application Role to specify the recipients of an Agent Previously in 10g this approach would not work unless you stored all the User > Catalog Group mappings in the BI Presentation Catalog
70
With Oracle BI 11g, Delivers can now access information about users, their groups, and email addresses directly from the configured identity store In many cases this completely removes the need to extract this information from your corporate directory into a database
71
- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
72
[middleware]\user_projects\domains\bifoundation_domain\config\config.xml Contains: SSL Configuration of Admin and Managed Servers Definitions and setup of Identity Providers
73
[middleware]\user_projects\domains\bifoundation_domain\config\fmwconfig\system-jazn-data.xml
During BI Apps install, you deploy this file to install all the BI Apps roles
74
[middleware]\user_projects\domains\bifoundation_domain\config\fmwconfig\cwallet.sso
This is your Credential Store containing encrypted usernames/passwords for your system accounts:
BI System User Web service credentials RPD passwords etc
If you dont know all the passwords, it is a good idea to back this up before you change any configuration.just in case
75
- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
76
2 4
Catalog & Manage Privileges
FMW Control
Weblogic Console
BI Presentation Services
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
Corporate LDAP
GROUPS Sales Manager
3
RPD
BI Server
USERS ASMITH
77
Oracle BI EE 11g Migrating Security Identity Stores Part 1 Oracle BI EE 11g Migrating Security Policy Store Part 2 Oracle BI EE 11g Migrating Security Credential Store Part 3
Just to summarise..
78
You can import/export the entire set of users/groups within the Weblogic LDAP via the WL Console
If you wish to do an incremental update then you will need to script using WLST
79
To migrate the full set of Application Roles, simply copy/paste the systemjazn-data.xml file to your target environment:
[middleware]\user_projects\domains\bifoundation_domain\config\fmwconfig\system-jazn-data.xml
80
Running the 11g Upgrade Assistantwill automatically migrate the 10g security configuration to 11:
RPD Groups migrated to WebLogic LDAP RPD Users migrated to WebLogic LDAP (and assigned to relevant Groups) Application Role created for each Group
OBIEE 10g
OBIEE 11g
81
- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
82
Yes..if you must! But hopefully the need for the 10g model is diminishing The old method of using Initialization Blocks to populate USER/GROUP session variables will still work in Oracle BI 11g
Use the new Session Variable ROLES instead of GROUP to map a user to one or more Application Roles
Whenever you log in, the 10g security model is attempted first
Some users can use the 10g model, others can use 11g
A user should authenticate/authorize using either the 11g model or the 10g model..but not both
83
- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
84
SSL is the mechanism used to enable secured HTTPS communications between client web browser and the BI Server:
SSL works fully in OBIEE, the implementation details are in the documentation (Security Guide) You have to do all four sections..no shortcuts!
85
SSL configuration is fiddly by nature, set aside around 2 man-days to configure it for the first time in development The duration to implement could take longer, since you have to obtain a trusted certificate from a certificate authority
Demo certificates are available (but you will get a standard security warning in the browser if you use them)
The following Tech Notes on myOracle Support compliment the Oracle Documentation:
OBIEE 11g SSL Setup and Configuration (Doc ID 1326781.1) Procedure for configuring Node Manager with SSL. (Doc ID 1142995.1)
86
- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
87
88
With OAM you need an HTTP Proxy and Webgate to sit in front of WebLogic and perform the SSO redirection:
89
90
91
92
A tech note / white paper exists for implementing SSO with AD Not for the faint hearted!
93
- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
94
95
96
97
98
Try a different user account Try logging on with a system user account e.g. weblogic Confirm you can log on to Weblogic Console and/or FMW Control (to confirm authentication is actually working) Reset the users password Archive and delete user from the catalog, restart Presentation Services and then unarchive user back into the catalog
4. 5.
99
7.
Check database and listener are working to _BIPLATFORM and _MDS schemas (and make sure db passwords have not expired!):
100
9.
101
Check connectivity to LDAP / AD server is ok (you do this in WebLogic Console make sure you can see the external Groups and Users) Check HOSTS file has not changed, the very first entry should have IP address and server name Refresh GUIDs Restart WebLogic and OPMN Services Restart WebLogic AdminServer, and then start all other process from within the WebLogic Admin Console and FMW Control (i.e. no commandline) Restart whole server, then start up WebLogic and OPMN services
102
11.
15.
Delete the two BISystemUser user entries from Presentation Catalog, then restart services:
[Catalog Root]\root\users
17.
Delete the two sawguidstate entries from the System Presentation Catalog folder, then restart services:
[Catalog Root]\root\system\mktgcache\[Hostname]
103
Re-enter BISystemUser credentials in the Credential Store, then restart all services:
104
See Oracle Support article 1359798.1 to download Technote on troubleshooting OBIEE security:
105
http://support.oracle.com
106
Closing Thoughts
107
Security is by nature a complex topic it is not just complicated in Oracle BI There is obviously more work that can be done to simplify things in Oracle BI 11g but lets try to be pleased with what we have:
A huge array of security capability Support for small implementations all the way up to very large enterprise deployments A common model across Fusion Middleware applications
108
Questions?