Escolar Documentos
Profissional Documentos
Cultura Documentos
1 Purpose 3
2 Definitions 3
3 Scope 4
3.1 Prerequisites 4
5 Sample schema 5
Authenticating to Oracle Business Intelligence Enterprise Edition 11g Using a Database Identity Store Page 2
Authenticating to Oracle Business Intelligence
Enterprise Edition 11g Using a Database
Identity Store
1 Purpose
This paper examines how to configure Oracle Business Intelligence Enterprise Edition (Oracle BI EE) 11.1.1.5.0 to
authenticate against a Database Identity Store using a SQLAuthenticator and a virtualized Identity Store Adapter.
This was not possible in Oracle BI EE 11g prior to release 11.1.1.5 customers wishing to authenticate solely against a
database had to rely on the old 10g-style mechanism of using INIT blocks.
2 Definitions
The definitions below have been simplified slightly in order to include only the context required to understand
this document.
Identity Store An Identity Store is the repository of user, group and other user profile information. Identity
Stores can be of different types including LDAP and Database.
Identity Store Service A component of Oracle Platform Security Services. Used by Fusion Middleware
Security to retrieve user profile information such as guid, locale, timezone and displayname (typically LDAP
attributes) as well as to derive Application Role membership based on group membership.
Identity Store Provider The component that enables the Identity Store Service to point to an underlying
Identity Store. By default, there is an Identity Store Provider configured for a single LDAP Identity Store
based on the first Authentication Provider of the highest strength (based on JAAS control flag e.g.
REQUIRED) defined in the Weblogic security realm. This means that by default, all user role and profile
information is retrieved from a single Identity Store.
Authenticating to Oracle Business Intelligence Enterprise Edition 11g Using a Database Identity Store Page 3
Virtualized Identity Stores Since BI 11.1.1.5, it is now possible to virtualize more than one Identity Store for
use with the Identity Store Service. This means that user profile information can now be split across different
Identity Stores. In addition, the virtualized Identity Store Provider can support LDAP and Database Identity
Stores. This means that user role and profile information can be stored in a database.
Database Adapter (for the Virtualized Identity Store) In order to use a database to store user role and profile
information, it is necessary to put in place an adapter that makes the database look like an LDAP server. The
Virtualized Identity Store Provider is able to retrieve user profile information from a database via a Database
Adapter. The Database Adapter
3 Scope
This document describes the steps required to configure Oracle BI EE 11.1.1.5.0 with a SQLAuthenticator and a
virtualized Identity Store Provider, both running against a sample database schema. The examples provided are
illustrative only Oracle does not mandate that your database schema must be identical to the sample provided or
recommend its usage. It is solely provided to illustrate how to configure the SQLAuthenticator and a virtualized Identity
Store Provider (including a Database Adapter) against a suitable database schema.
It is anticipated that customers wishing to follow this route are doing so because they have an existing requirement to
authenticate users against a database schema the preferred identity store for authentication purposes is an LDAP
directory service, such as Oracle Internet Directory (OID).
This approach to database authentication requires one database column holding userIDs and another holding
passwords. This method is not based on database user accounts.
This approach has been tested against the following release versions:
Oracle BI EE 11.1.1.5.0
3.1 Prerequisites
The following prerequisites must be satisfied before you attempt to setup a configuration similar to that described in
this document:
Oracle Business Intelligence Enterprise Edition 11.1.1.5.0 must be installed and running
A suitable database schema containing the users, credentials and groups required for authentication must be
running and accessible from the WebLogic server on which Oracle BI EE is running
Authenticating to Oracle Business Intelligence Enterprise Edition 11g Using a Database Identity Store Page 4
1. Create a sample schema or views on an existing schema for your user, group and user profile
information.
By the end of this step, it should be possible for a suitably privileged user to login to the Weblogic
console using the Weblogic Database Authenticator for authentication.
5 Sample schema
In practice, customers will have their own schemas, usually which they are already using in a prior 10g installation of
Oracle BI EE. This sample schema is far from optimal and deliberately simplistic as stated, it is used solely to illustrate
how to configure the various parts of the system to use such a schema.
In our sample schema, we have three tables: USER, GROUP and USER_GROUP which acts as a join table linking the
first two
If the user information does not exist in one table, create a view over the tables containing user information.
Use this view to present user information to the Database Adapter configured in section 6.2 of this document.
In the same way, if the User to Group and Group information are not in a single table, create a view over
these tables to present them to the Database Adapter configured in section 6.2 of this document.
Authenticating to Oracle Business Intelligence Enterprise Edition 11g Using a Database Identity Store Page 5
6.1 Configuring a Data Source
1) Login to Oracle WebLogic Server Administration Console (e.g. http://myserver:7001/console) as a WebLogic
Server administrator.
4) In the Summary of Data Sources page, click New, and choose Generic Data Source.
5) In the JDBC Data Sources Properties page, enter or select values for the following properties:
6) Click Next.
7) Choose a database driver from the Database Driver drop down list.
For example, select: Oracle's Driver (Thin) for Service Connections;
Versions:9.0.1 and later.
8) Click Next.
9) Click Next.
10) On the Connection Properties page, enter values for the following properties:
Database User Name Typically the schema owner of the tables defined in section 3 above.
Password/Confirm Password The password for the database user specified above.
Authenticating to Oracle Business Intelligence Enterprise Edition 11g Using a Database Identity Store Page 6
11) Click Next.
12) Check the details on the page are correct, and click Test Configuration.
14) In the Select Targets page select the servers or clusters for your datasource to be deployed to.
You should select the AdminServer and Managed server(s) as your targets, for example:
Note: For the purposes of this example walkthrough, we will assume the DataSource you created is called
UserGroupDS.
3) Select Security Realms from the left pane and click myrealm.
The default Security Realm is named myrealm.
4) Display the Providers tab in the top row on the right hand side of the page.
6) Select ReadOnlySQLAuthenticator from the Type drop down list of available authenticators.
Note: This creates a read only SQL Authenticator, and WebLogic will not write back to the database.
Authenticating to Oracle Business Intelligence Enterprise Edition 11g Using a Database Identity Store Page 7
8) Click OK.
10) Display the Provider Specific tab to specify the SQL statements used to query, and authenticate against, your
database tables.
Comment [AB1]: Need to add
. something about DB name
11) If your password column is in plaintext (i.e. if the result of the query supplied for the SQL Get Users Password
column is not hashed/encrypted), please ensure the checkbox marked Plaintext Password Enabled is ticked. If this
box is not ticked, by default the SQLAuthenticator expects passwords to have been hashed using SHA-1 (default
encryption algorithm). Further information on the encryption algorithms supported can be found in the
documentation for the base SQLAuthenticator Mbean PasswordAlgorithm attribute:
http://download.oracle.com/docs/cd/E21764_01/apirefs.1111/e13951/mbeans/SQLAuthenticatorMBean.html?skip
Reload=true#PasswordAlgorithm
The table below contains SQL statements for the sample schema outlined in Section 3:
SQL Get Users SELECT PASSWORD FROM USER WHERE The SQL statement used to look up a user's
Password (used to USER_ID = ? password. The SQL statement requires a
authenticate) single parameter for the username and must
return a resultSet containing at most a single
record containing the password
SQL User Exists SELECT USER_ID FROM USER WHERE The SQL statement used to look up a user.
USER_ID = ? The SQL statement requires a single
parameter for the username and must return a
resultSet containing at most a single record
containing the user
SQL List Users SELECT USER_ID FROM USER WHERE The SQL statement used to retrieve users that
USER_ID LIKE ? match a particular wildcard search The SQL
statement requires a single parameter for the
wildcarded usernames and returns a resultSet
containing matching usernames
SQL List Groups: SELECT GROUP_ID FROM GROUP The SQL statement used to retrieve group
WHERE GROUP_ID LIKE ? names that match a wildcard The SQL
statement requires a single parameter for the
wildcarded group name and return a resultSet
containing matching groups
Authenticating to Oracle Business Intelligence Enterprise Edition 11g Using a Database Identity Store Page 8
SQL Group Exists: SELECT GROUP_ID FROM GROUP The SQL statement used to look up a group.
WHERE GROUP_ID = ? The SQL statement requires a single
parameter for the group name and must
return a resultSet containing at most a single
record containing the group
SQL Is Member: SELECT GROUP_ID FROM USER_GROUP The SQL statement used to look up members
WHERE GROUP_ID=? AND USER_ID of a group. The SQL statement requires two
LIKE ? parameters: a group name and a member or
group name. It must return a resultSet
containing the group names that matched
SQL List Member SELECT GROUP_ID FROM USER_GROUP The SQL statement used to look up the
Groups WHERE USER_ID = ? groups a user or group is a member of. The
SQL statement requires a single parameter for
the username or group name and returns a
resultSet containing the names of the groups
that matched
SQL Get User SELECT USER_NAME FROM USER The SQL statement used to retrieve the
Description (if WHERE USER_ID = ? description of a specific user. The SQL
description statement requires a single parameter for the
supported enabled) username and must return a resultSet
containing at most a single record containing
the user description
SQL Get Group SELECT GROUP_DESCRIPTION FROM The SQL statement used to retrieve the
Description (if GROUP WHERE GROUP_ID = ? description of a group. Only valid if
description Descriptions Supported is enabled. The SQL
supported enabled) statement requires a single parameter for the
group name and must return a resultSet
containing at most a single record containing
the group description
Note: If you are using a different table structure, you might need to adapt these SQL statements (table or column
names) to your own schema. Also, you should leave the question mark (?) as a runtime query placeholder (rather
than hardcode a user or group name).
Authenticating to Oracle Business Intelligence Enterprise Edition 11g Using a Database Identity Store Page 9
1) Return to the table of authentication providers (select Security Realms from the left pane, click myrealm and
display the Providers tab).
Your new provider will be at the bottom and the DefaultAuthenticator at the top.
3) In the Common page, change the value of the Control Flag drop down list from REQUIRED to SUFFICIENT
and click Save.
For more information, see Configuring Authentication Providers in Oracle Fusion Middleware Securing Oracle WebLogic
Server guide at http://download.oracle.com/docs/cd/E14571_01/web.1111/e13707/atn.htm#i1204568 which
contains a detailed explanation of these settings.
4) Return to the table of authentication providers and click the link to your new SQLAuthenticator provider
(UserGroupDBAuthenticator in the example) to edit its properties.
5) In the Common Authentication Provider Settings page, change the value of the Control Flag drop down list from
OPTIONAL to SUFFICIENT and click Save.
6) Return to the table of authentication providers, click Reorder, then select the checkbox next to your
SQLAuthenticator (UserGroupDBAuthenticator in our example), then use the shuttle control to move it to the top
of the list.
7) You must ensure there is a trusted system user in your database and that you replace the credentials in the
Credential store to point to this users credentials as described in Configuring a New Trusted User (BISystemUser)
in Oracle Fusion Middleware Security Guide for Oracle Business Intelligence available here:
http://fmwdocs.us.oracle.com/doclibs/fmw/E10285_01/bi.1111/e10543/privileges.htm#CHDFHDBE (To
replace this link with the published URL on release)
8) Activate the changes and stop and restart the BI Components (use Fusion Middleware Control once the Admin
Server has been restarted), WebLogic Admin Server, and Managed Server(s).
Note: Check the Users and Groups tab to confirm that the database users and groups appear there.
2) Right-click bifoundation_domain and select Security, then Security Provider Configuration to display the
Security Provider Configuration page.
Authenticating to Oracle Business Intelligence Enterprise Edition 11g Using a Database Identity Store Page 10
3) In the Identity Store Provider area, click Configure to display the Identity Store Configuration page.
4) In the Custom Properties area, use the Add option to create a Custom Property called "virtualize" with a value of
"true"
This file is used to describe the mapping of the user table to a virtual LDAP store.
You must adapt the section shown in bold, to match the columns in your own table/attributes used in the LDAP
server, the sample shown here is for the sample schema we have been using throughout this document
<?xml version = '1.0' encoding = 'UTF-8'?>
<adapters schvers="303" version="1" xmlns="http://www.octetstring.com/schemas/Adapters"
xmlns:adapters="http://www.w3.org/2001/XMLSchema-instance">
<dataBase id="directoryType" version="0">
<root>%ROOT%</root>
<active>true</active>
<serverType>directoryType</serverType>
<routing>
<critical>true</critical>
<priority>50</priority>
<inclusionFilter/>
<exclusionFilter/>
<plugin/>
<retrieve/>
<store/>
<visible>Yes</visible>
<levels>-1</levels>
<bind>true</bind>
<bind-adapters/>
<views/>
<dnpattern/>
</routing>
<pluginChains xmlns="http://xmlns.oracle.com/iam/management/ovd/config/plugins">
<plugins>
<plugin>
<name>DBGUID</name>
<class>oracle.ods.virtualization.engine.chain.plugins.dbguid.DBGuidPlugin</class>
<initParams>
<param name="guidAttribute" value="orclguid"/>
</initParams>
</plugin>
</plugins>
<default>
Authenticating to Oracle Business Intelligence Enterprise Edition 11g Using a Database Identity Store Page 11
<plugin name="DBGUID"/>
</default>
<add/>
<bind/>
<delete/>
<get/>
<modify/>
<rename/>
</pluginChains>
<driver>oracle.jdbc.driver.OracleDriver</driver>
<url>%URL%</url>
<user>%USER%</user>
<password>%PASSWORD%</password>
<ignoreObjectClassOnModify>false</ignoreObjectClassOnModify>
<includeInheritedObjectClasses>true</includeInheritedObjectClasses>
<maxConnections>10</maxConnections>
<mapping>
<joins/>
<objectClass name="person" rdn="cn">
<attribute ldap="cn" table="USER" field="USER_NAME" type=""/>
<attribute ldap="uid" table="USER" field="USER_ID" type=""/>
<attribute ldap="usernameattr" table="USER" field="USER_NAME" type=""/>
<attribute ldap="loginid" table="USER" field="USER_ID" type=""/>
<attribute ldap="description" table="USER" field="USER_NAME" type=""/>
<attribute ldap="orclguid" table="USER" field="USER_ID" type=""/>
</objectClass>
</mapping>
<useCaseInsensitiveSearch>true</useCaseInsensitiveSearch>
<connectionWaitTimeout>10</connectionWaitTimeout>
<oracleNetConnectTimeout>0</oracleNetConnectTimeout>
<validateConnection>false</validateConnection>
</dataBase>
</adapters>
3) In the example above only the section highlighted in red should need customising, but the elements should be
mapped by matching the attributes/classes used in a virtual LDAP schema with the columns in your database which
correspond to them. The virtual schema is the same as that of Weblogic Embedded LDAP, so you can map
database columns to any of the attributes shown in the table below:
Attribute Example
cn john.doe
uid john.doe
sn Doe
userpassword welcome1
employeeNumber 12345
Authenticating to Oracle Business Intelligence Enterprise Edition 11g Using a Database Identity Store Page 12
employeeType Regular
givenName John
homePhone 650-555-1212
mail john.doe@example.com
title Manager
manager uid=mary.jones,ou=people,ou=myrealm,dc=wc_domain
preferredLanguage en
departmentNumber tools
facsimiletelephonenumber 650-555-1200
mobile 650-500-1200
pager 650-400-1200
telephoneNumber 650-506-1212
l Redwood Shores
4) The first, outer element (<objectClass name="person" rdn="cn">) is used to declare that we are mapping the
LDAP objectclass inetorgperson which uses the cn attribute as its RDN (Relative Distinguished Name). The
subelements then declare which LDAP attributes map to which tables and columns in the database.
5) So, for example, the line <attribute ldap="uid" table="USER" field="USER_ID" type=""/> means that
we wish to map the USER_ID field of the USER table to the standard LDAP attribute uid i.e. a unique user id for
each user.
6) Next we need to map groups in the same way. Create a file named adapter_template_usergroup2.xml to describe
the mapping of the group table to a virtual LDAP store.
Authenticating to Oracle Business Intelligence Enterprise Edition 11g Using a Database Identity Store Page 13
You must adapt the section shown in bold to match the columns in your own table. The sample content shown
here is to match the sample schema we have been using throughout this document.
<?xml version = '1.0' encoding = 'UTF-8'?>
<adapters schvers="303" version="1" xmlns="http://www.octetstring.com/schemas/Adapters"
xmlns:adapters="http://www.w3.org/2001/XMLSchema-instance">
<dataBase id="directoryType" version="0">
<root>%ROOT%</root>
<active>true</active>
<serverType>directoryType</serverType>
<routing>
<critical>true</critical>
<priority>50</priority>
<inclusionFilter/>
<exclusionFilter/>
<plugin/>
<retrieve/>
<store/>
<visible>Yes</visible>
<levels>-1</levels>
<bind>true</bind>
<bind-adapters/>
<views/>
<dnpattern/>
</routing>
<pluginChains xmlns="http://xmlns.oracle.com/iam/management/ovd/config/plugins">
<plugins>
<plugin>
<name>VirtualAttribute</name>
<class>oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin</class>
<initParams>
<param name="ReplaceAttribute"
value="uniquemember={cn=%uniquemember%,cn=users,dc=oracle,dc=com}"/>
</initParams>
</plugin>
</plugins>
<default>
<plugin name="VirtualAttribute"/>
</default>
<add/>
<bind/>
<delete/>
<get/>
<modify/>
<rename/>
</pluginChains>
<driver>oracle.jdbc.driver.OracleDriver</driver>
<url>%URL%</url>
<user>%USER%</user>
<password>%PASSWORD%</password>
<ignoreObjectClassOnModify>false</ignoreObjectClassOnModify>
<includeInheritedObjectClasses>true</includeInheritedObjectClasses>
<maxConnections>10</maxConnections>
<mapping>
<joins/>
<objectClass name="groupofuniquenames" rdn="cn">
<attribute ldap="cn" table="USER_GROUP" field="GROUP_ID" type=""/>
<attribute ldap="description" table="USER_GROUP" field="GROUP_ID" type=""/>
<attribute ldap="uniquemember" table="USER_GROUP" field="USER_ID" type=""/>
</objectClass>
</mapping>
<useCaseInsensitiveSearch>true</useCaseInsensitiveSearch>
<connectionWaitTimeout>10</connectionWaitTimeout>
Authenticating to Oracle Business Intelligence Enterprise Edition 11g Using a Database Identity Store Page 14
<oracleNetConnectTimeout>0</oracleNetConnectTimeout>
<validateConnection>false</validateConnection>
</dataBase>
</adapters>
8) Again, only the sections highlighted in red should need customising, but note that there are two elements which
need looking at: a param element named ReplaceAttribute which specifies how to define the unique member for a
group (the %uniquemember% is a placeholder for a value which will be passed in at runtime when looking up
whether a user is a member of a group). The only aspect of this element you may wish to change is the specification
of the root for your users. While this is notional, by default it must match whatever you specify as the root of
your user population when you run the libovdadapterconfig script below.
9) The second element which needs customising specifies how group attributes are mapped to database fields and as
with the user, the attributes correspond to the defaults in Weblogic Embedded LDAP. You must at least map cn (to
a unique name for your group) and uniquemember (to the unique name for your user in the user/group mapping
table in your database schema), but the description attribute is optional, although clearly helpful, as is orclguid
(which maps to a UID, if available in your database schema). No other attributes are user-configurable.
ORACLE_HOME=<MW_HOME>/Oracle_BI1
WL_HOME=<MW_HOME>/wlserver_10.3/
JAVA_HOME=<MW_HOME>/jdk160_24/
13) Run the libovdadapterconfig script to create each of the two adapters from the template files above. The syntax is:
Authenticating to Oracle Business Intelligence Enterprise Edition 11g Using a Database Identity Store Page 15
./libovdadapterconfig.sh -adapterName userGroupAdapter2 -adapterTemplate
adapter_template_usergroup2.xml -host localhost -port 7001 -userName weblogic
-domainPath /opt/oracle_bi/user_projects/domains/bifoundation_domain/ -
dataStore DB -root cn=users,dc=oracle,dc=com -contextName default -
dataSourceJNDIName jdbc/UserGroupDS
16) You should now be able to login to WebLogic and Oracle Business Intelligence using credentials stored in the
database.
To add or remove users to/from this role via the Weblogic Admin Console:
Select Security Realms from the left-hand menu, click on the link to your security realm in the main screen
Authenticating to Oracle Business Intelligence Enterprise Edition 11g Using a Database Identity Store Page 16
(e.g. myrealm), then select Roles and Policies from the tabs along the top
In the list of roles, click on the plus sign to expand Global Roles, then Roles, then click on the link marked
View Role Conditions for the Admin Role.
Ensure the conditions specified will match your user, either directly, or by virtue of a group they belong to
(e.g. condition may be User=myadminaccount or Group=Administrators, for example)
If you have made any changes, click the Save button. Changes should be applied immediately
Now, you should be able to check whether the user in question can log in to the Weblogic Administrative Console at
http://[bi server address]:[AdminServer Port]/console (e.g. http://biserver:7001/console). If they can, but cannot log
in to BI, the SQLAuthenticator is working correctly, but there may be issues in the Identity Store Service. Check that
you have specified the virtualize=true property in the Identity Store Config and that your DBAdapter templates are
correct.
If the user cannot log in to Weblogic via the Admin Console when they have been assigned the Weblogic Global Admin
role, there may be issues in the configuration of the SQLAuthenticator. If this is the case, the issues should be shown in
the AdminServer logs.
Wrong datasource name specified if you specify the wrong JNDI name for the datasource field of the SQLAuthenticator, this
will cause errors such as this
at weblogic.security.providers.authentication.shared.DBMSAtnLoginModuleI
mpl.login(DBMSAtnLoginModuleImpl.java:318)
to appear in the Weblogic AdminServer/Managed Server(s) log files. Be aware that you should use the fully qualified
JNDI name, not the Name field of the DataSource, so in the example shown in section 4.1 above, the name of the
DataSource was UserGroupDS but the JNDI name was jdbc/UserGroupDS and it is this fuller form which
should be used.
Incorrect SQL queries take care that the SQL queries you specify in the SQLAuthenticator config are syntactically correct
and refer to the correct tables etc. For example, the following error occurs in the AdminServer.log when the wrong table
name is specified for the password query
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:457)
Authenticating to Oracle Business Intelligence Enterprise Edition 11g Using a Database Identity Store Page 17
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:405)
at oracle.jdbc.driver.T4C8Oall.processError(T4C8Oall.java:889)
at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:476)
1) Log into the WSLT console by running the WLST script at <BI Install Dir>/oracle_common/common/bin/
/wlst[.sh/cmd]
e.g. connect('weblogic','weblogic','t3://localhost:7001')
e.g. deleteAdapter(adapterName='userGroupAdapter2')
4) Exit WLST console using the command exit() and recreate the Adapter with the correct settings by following
the steps outlined in section 5.2
Authenticating to Oracle Business Intelligence Enterprise Edition 11g Using a Database Identity Store Page 18
Authenticating to Oracle Business Intelligence Enterprise Edition 11g Using a Database Identity Store
June 2011
Author: Oracle BI Development
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065
U.S.A.
Worldwide Inquiries:
Phone: +1.650.506.7000
Fax: +1.650.506.7200
www.oracle.com