Heljula Security 123

OBIEE 11g Security – it’s as easy as 1-2-3!

Antony Heljula @aheljula

BI Architect

Agenda

Aim of Presentation 10g Security Model 11g Security Model What is Supported Identity Providers Groups GUIDs SSL Single Sign On (SSO) Important Files Migration Closing Thoughts

Aim of Presentation

To explain the key concepts behind the Oracle BI 11g security model

Clarify what is and what is not supported

Demonstrate that it can achieve great results

Explain why 11g security model is better than 10g – you don’t need the 10g security model any more!

Discuss some advanced topics such as SSO, SSL and migration

It is getting better…..we can look forward to a brighter future!

10g Security Model

BI Presentation Services

BI Server

Catalog Groups

Groups “Groups” apply responsibilities for BI Server

“Catalog Groups” apply responsibilities for BI Presentation Services. Can be

inherited from other “Catalog Groups” and also other BI Server “Groups”

10g Security Model

BI Server

Corporate LDAP

USERS ASMITH

GROUPS Sales Manager

Catalog Groups

Groups

ASMITH is a Sales Manager

ASMITH gets data visibility for a Sales Manager

ASMITH can see the Sales Manager dashboard

10g Security Model

BI Server

Corporate LDAP

USERS ASMITH

Catalog Groups

Groups

ASMITH is granted some presentation privileges directly

10g Security Model

BI Server

Corporate LDAP

USERS ASMITH

GROUPS Sales Manager Answers Access Delivers Access

Catalog Groups

Groups

Additional LDAP “Groups” applied

directly to Presentation Services

Group inheritance within LDAP

Issues with 10g Security Model

BI Server

Corporate LDAP

USERS ASMITH

Catalog Groups

Groups

Not an easy model to explain! p.s. 10g didn’t even directly support Groups in LDAP

BI Server

Corporate LDAP

USERS ASMITH

Catalog Groups

Groups

Reliance on Corporate LDAP to manage application-only privileges

e.g. Answers Access

Corporate LDAP

GROUPS

If every application needed their own hierarchy of privileges how complicated

is your Corporate LDAP going to become?

GROUPS GROUPS

GROUPS

GROUPS GROUPS

USERS USERS

USERS USERS USERS

Application Application

Application

Application Application

11g Security Model

The 11g Security Model

BI Server

Corporate LDAP

USERS ASMITH

Your Corporate LDAP just contains “corporate”

Users and Groups

BI Server

Corporate LDAP

USERS ASMITH

APPLICATION ROLES

Sales Manager Answers Access Delivers Access

A new layer of “Application Roles” define the application-specific roles.

The OBI Administrators maintain these

BI Server

Corporate LDAP

USERS ASMITH

APPLICATION ROLES

A Group can belong to multiple Application Roles e.g. Sales Managers

also have “Answers Access”

BI Server

Corporate LDAP

USERS ASMITH

APPLICATION ROLES

But if you prefer, Application Roles can belong to other Application Roles e.g. “Sales Manager”

Role also has “Answers Access” Role

BI Server

Corporate LDAP

USERS ASMITH

APPLICATION ROLES

Application Roles are used by both BI Presentation Services and BI Server

BI Server

Corporate LDAP

USERS ASMITH

APPLICATION ROLES

You can also assign a User to an Application Role

The 11g Security Model Advantages

BI Server

Corporate LDAP

USERS ASMITH

APPLICATION ROLES

1) Greater control for the OBI Administrator 2) Corporate LDAP less complex 3) Simpler architecture 4) More flexibility 5) Greater consistency between OBIPS and OBIS

The 11g Security Model Administration Points

BI Server

Corporate LDAP

USERS ASMITH

APPLICATION ROLES

Weblogic Console FMW Control

Catalog & Manage Privileges

In the Weblogic Console you can: Configure Identity Providers (discussed later) Configure Users and Groups (Embedded LDAP)

1) Weblogic Console

You can use FMW Control for: Creating new Application Roles Assigning Roles/Groups/Users to Application Roles

2) FMW Control

Menu option: Security > Application Roles

Within the RPD you can apply security rules to Application Roles: Access to Subject Area contents Access to Connection Pools Apply Data Filters Apply Query Limits

3) RPD

Within the Presentation Layer you can use Application Roles for: Managing privileges Object access permissions within the Catalog

4) Catalog and Manage Privileges

FMW Control comes with its own embedded “Credential Store” WebLogic Domain > bifoundation_domain > Security > Credentials

In here are stored passwords for: BISystemUser RPD Passwords Any other credentials (e.g. for custom web services)

No More “Cryptotools”

When you install Oracle BI 11g, you get the following mapping between Users Groups Roles:

Default Configuration

BISystem Component BIAdministrators

BIAuthors

BIConsumers

BIAdministrator

BIAuthor

BIConsumer

member of

USERS GROUPS ROLES

BIAdministrators: All Functions BIAuthors: Create new content BIConsumers: Read-only

Each of the default Application Roles is allocated one or more “Application Policies”. These Application Policies provide access to certain “Resources” within Oracle BI

Application Policies

The “BIAdministator” role can: • Manage Repositories • Manage Jobs • Manage the Presentation Catalog • Administer BI Server

The policies for the “BIAdministrator” role provide access to the “Administration” screen

The policies for the “BIAuthor” role provide access to the entire “New” menu to create new reporting objects

NOTE: Confusion still remains as to why these

types of privilege are not on the “Manage Privileges” screen along with everything else

Application Policies

Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?

What Roles and Policies Should I Have?

First of all, use the new default Application Roles to distinguish between your 3 main types of user: Administrators BI Administrator Role Report Developers BI Author Role Everyone Else BI Consumer Role

By default, all authenticated users will get “BI Consumer Role”, so you only

need to manage the allocation of BI Auther/Administrator Roles

There is typically no need to alter the Application Policies that are assigned to each role The default policies provide a convenient way to restrict access to core Oracle

BI system resources

Default Roles and Policies

What Roles and Policies Should I Have?

You can then have your own custom Application Roles to manage access and privileges at a more granular level

For example: Sales Manager Role Access to the “Sales Manager” Dashboard HR Manager Role Access to the “HR Manager” Dashboards BI Answers Role Access to Answers BI Delivers Role Access to Delivers

NOTE: In most cases, 1 LDAP Group will map to 1 Application Role

Custom Roles

What Roles and Policies Should I Have? A Combination of Default/Custom Roles

BI Server

USERS ASMITH

GROUPS BIAdministrator

BIAuthor BIConsumer

Sales Manager

APPLICATION ROLES

BIAdministrator

BIAuthor BIConsumer

When Should I Use the WebLogic LDAP?

The Embedded WebLogic LDAP is relatively basic compared to the more “enterprise” LDAP solutions e.g. OID, AD

Oracle advise no more than 1,000 users

When Should I Use the WebLogic LDAP?

BI Server Corporate LDAP

All other users

APPLICATION ROLES

WebLogic LDAP

Weblogic BISystemUser

Test users

Treat the WebLogic LDAP much like you treated the RPD as a user store in OBI 10g (weblogic, system accounts and test users only)

All other users go in the Corporate LDAP

Can I Have Multiple Identity Providers?

Yes. It is possible to add multiple other Identity Providers within WebLogic console

By default, there are two embedded WebLogic providers: DefaultAuthenticator (Embedded Weblogic LDAP) DefaultIdentityAsserter

It is possible though to add further “Identity Providers” e.g. OID

Multiple Identity Providers with either: Users and Groups in LDAP Users and Groups in Database Users in LDAP and Groups in Database (in 11.1.1.6, patch in 11.1.1.5)

Identity Providers for Authentication: (NOTE: not exhaustive)

Weblogic LDAP Active Direcitory iPlanet Oracle Internet Directory (OID) Oracle Virtual Directory (OVD) Novell (eDirectory 8.8) OpenLDAP SQL Tivoli Directory Server 6.2 SQL Group Lookup (New with 11.1.1.6, patch for 11.1.1.5)

Support

Adding new Identity Providers is straight forward via the “New” button Supported providers in red (not exhaustive)

You can reorder the list of providers so that authentication is performed in a different order e.g. OID Weblogic LDAP

Adding a New Provider

It is a common situation with Oracle BI Apps where you have: Users to be authenticated in a Corporate LDAP Groups to be obtained from the source OLTP (e.g. EBS)

BISQLGroupProvider

BI Server

Corporate LDAP

APPLICATION ROLES

Weblogic

Groups

The 11g security model now supports this type of arrangement

A new provider “BISQLGroupProvider” is available to obtain Groups from a database: Available in 11.1.1.6 (with some configuration) Available in 11.1.1.5 (patch 11667221)

To configure, see Oracle Support article 1428008.1 to obtain the TechNote: TechNote_LDAP_Auth_DB_Groups_V3.pdf

BISQLGroupProvider

When you have multiple Identity Providers you should set the “virtualize = true” custom property within FMW Control: Bifoundation_domain > Security > Security Provider Configuration

Without this setting:

Only the first identity provider listed will be used by OBI You won’t be able to log in if the AdminServer dies

If you can get the setting to work, try restarting Managed Server and OPMN processes via FMW Control rather than the command line

Virtualize=True

Can I Have Multiple Identity Providers? Managing “BISystemUser”

BISystemUser

APPLICATION ROLES

WebLogic LDAP

When you implement an additional identity provider, The Oracle BI documentation suggests to migrate the

BISystemUser to your external LDAP provider.

BISystemUser

APPLICATION ROLES

WebLogic LDAP

But what happens if the Corporate LDAP becomes unavailable?

BISystemUser

APPLICATION ROLES

WebLogic LDAP

BISystemUser

It is better to keep the BISystemUser account in the WebLogic LDAP store – you can still start up and use Oracle BI even when the

Corporate LDAP is unavailable (NOTE: need to set virtualize=true)

Where Do I Get My Groups From?

When you have multiple identity providers, the Groups for each users will be obtained from the same provider that they authenticated against

For example:

Multiple Identity Providers

WebLogic user will obtain Groups from “DefaultAuthenticator”

Corporate End Users will obtain their Groups from “OracleInternetDirectory”, as this is where they are authenticated

A “BI SQL Group Lookup” identity provider is always assigned to a single LDAP provider The Groups will only come from the BI SQL Group Lookup provider Any Groups in the LDAP store are ignored

BISQLGroupProvider

In this example, any user authenticating using “OracleInternetDirectory” will obtain their Groups from the “BISQLGroupProvider”.

Any Groups assigned to the user in OID will be ignored.

If you are using the WebLogic LDAP as an authenticator then you will need to maintain your “Groups” in this store

But Groups from other identity providers (e.g. OID) will be automatically integrated (as shown below), you don’t need to create them manually

WebLogic Console

External Group from OID

Your internal and external Groups are immediately available to be assigned to Application Roles:

FMW Control

The “BIAuthor Role” will be assigned to users belonging to the

corresponding “BIAuthor” groups in both Weblogic LDAP and OID

What are GUIDs?

In Oracle BI 11g, users are recognized by their Global Unique Identifiers (GUIDs), not by their names

GUIDs are identifiers that are completely unique for a given user

Using GUIDs to identify users provides a higher level of security because it ensures that data and metadata is uniquely secured for a specific user, independent of the user name

What are GUIDs? Example Scenario

BI Server

Corporate LDAP

ASMITH

1) User “ASMITH” has been given access to the “Administrator” screen within the Oracle BI front-end

ASMITH Administration

BI Server

Corporate LDAP

ASMITH

2) User “ASMITH” leaves the company and is removed from the Corporate LDAP

BI Server

Corporate LDAP

ASMITH

3) A few months later, a new “ASMITH” joins the company

BI Server

Corporate LDAP

ASMITH

4) Can the new “ASMITH” log on to Oracle BI and get Administration privileges?

BI Server

Corporate LDAP

ASMITH (1234)

ASMITH (5678)

5) The answer is NO! Because the new “ASMITH” user has a different GUID to the original AMSITH

ASMITH (1234) Administration

What are GUIDs? The Outcome

In fact, the “ASSMITH” wont be able to log on at all!

What are GUIDs?

The GUID feature is there to help secure your OBI environments – especially production

There may however be times when GUIDs become out of sync in and you cannot log in as certain users: Migrating from WebLogic Embedded LDAP to an alternative identity provider Deleting users and then recreating them Migrating “Production” Presentation Catalog / RPD to the “Development”

environment

In order to work around this, you can either: Delete the offending users from the Presentation Catalog and log in again or Refresh GUIDs (explained overleaf)

Refreshing GUIDs

What are GUIDs?

Open up the NQSConfig.ini file for editing: [OBI Home]/config/OracleBIServerComponent/coreapplication_obis1/NQSConfig.ini

Set the following parameter within the [SERVER] section: FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = YES;

Save the file

Regenerating GUIDs : Step 1 / 4

What are GUIDs?

Open up the instanceconfig.xml file for editing:

[OBI Home]/config/OracleBIPresentationServicesComponent/coreapplication_obips1/instanceconfig.xml

Add an “UpdateAccountGUIDs” entry to the <Catalog> section as follows: <ps:Catalog xmlns:ps="oracle.bi.presentation.services/config/v1.1"> <ps:UpgradeAndExit>false</ps:UpgradeAndExit> <ps:UpdateAccountGUIDs>UpdateAndExit</ps:UpdateAccountGUIDs> </ps:Catalog>

Save the file

What are GUIDs?

Restart Oracle BI System components: $ORACLE_BASE/instances/instance1/bin/opmnctl stopall $ORACLE_BASE/instances/instance1/bin/opmnctl startall

What are GUIDs?

To ensure your system is secure once again you must revert the configuration changes! NQSConfig.ini : FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = NO;

Instanceconfig.xml : Remove entry for <ps:UpdateAccountGUIDs>

Restart Processes : opmnctl stopall / startall

Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - What Happens During An Upgrade? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?

Do I Still Need SA System Subject Area? Delivers Recipients

It is now possible to use an Application Role to specify the recipients of an “Agent”

Previously in 10g this approach would not work unless you stored all the User > Catalog Group mappings in the BI Presentation Catalog Very rarely done

Do I Still Need SA System Subject Area? Delivery Profiles

Direct access to LDAP Servers

With Oracle BI 11g, Delivers can now access information about users, their groups, and email addresses directly from the configured identity store

In many cases this completely removes the need to extract this information from your corporate directory into a database

What Are The Important Files?

[middleware]\user_projects\domains\bifoundation_domain\config\config.xml

Contains: SSL Configuration of Admin and Managed Servers Definitions and setup of Identity Providers

config.xml

[middleware]\user_projects\domains\bifoundation_domain\config\fmwconfig\system-jazn-data.xml

Contains definition of all Application Roles

During BI Apps install, you deploy this file to install all the BI Apps roles

System-jazn-data.xml

[middleware]\user_projects\domains\bifoundation_domain\config\fmwconfig\cwallet.sso

This is your “Credential Store” containing encrypted

usernames/passwords for your system accounts: BI System User Web service credentials RPD passwords etc

If you don’t know all the passwords, it is a good idea to back this up before

you change any configuration….just in case

cwallet.sso

How Do I Migrate Between Environments? 11g Security Migration Points

BI Server

Corporate LDAP

USERS ASMITH

APPLICATION ROLES

Weblogic Console FMW Control

Catalog & Manage Privileges

How Do I Migrate Between Environments?

The topic of migration is covered in the Rittman Mead blogs: Oracle BI EE 11g – Migrating Security – Identity Stores – Part 1 Oracle BI EE 11g – Migrating Security – Policy Store – Part 2 Oracle BI EE 11g – Migrating Security – Credential Store – Part 3

Just to summarise…..

You can import/export the entire set of users/groups within the Weblogic LDAP via the WL Console

If you wish to do an incremental update then you will need to script using WLST

Weblogic LDAP Users/Groups

To migrate the full set of Application Roles, simply copy/paste the system-jazn-data.xml file to your target environment: [middleware]\user_projects\domains\bifoundation_domain\config\fmwconfig\system-jazn-data.xml

If you need to do an incremental update then either: Set up the Application Roles manually via FMW Control Use WLST scripting

Application Roles

Running the 11g “Upgrade Assistant”will automatically migrate the 10g security configuration to 11: RPD “Groups” migrated to WebLogic LDAP RPD “Users” migrated to WebLogic LDAP (and assigned to relevant Groups) Application Role created for each Group

During an 10g-11g upgrade?

OBIEE 11g

OBIEE 10g

Can I Still Use The 10g Security Model?

Yes…..if you must! But hopefully the need for the 10g model is diminishing

The “old” method of using Initialization Blocks to populate USER/GROUP session variables will still work in Oracle BI 11g Use the new Session Variable “ROLES” instead of “GROUP” to map a user to one

or more Application Roles

Whenever you log in, the 10g security model is attempted first Some users can use the 10g model, others can use 11g

Don’t mix security models for the same user:

A user should authenticate/authorize using either the 11g model or the 10g model…..but not both

How Do You Implement SSL?

SSL is the mechanism used to enable secured HTTPS communications between client web browser and the BI Server:

SSL works fully in OBIEE, the implementation details are in the documentation (Security Guide)

You have to do all four sections…..no shortcuts!

How Do You Implement SSL?

SSL configuration is fiddly by nature, set aside around 2 man-days to configure it for the first time in development

The duration to implement could take longer, since you have to obtain a

trusted certificate from a “certificate authority” Demo certificates are available (but you will get a standard security warning in

the browser if you use them)

The following Tech Notes on myOracle Support compliment the Oracle Documentation: OBIEE 11g SSL Setup and Configuration (Doc ID 1326781.1) Procedure for configuring Node Manager with SSL. (Doc ID 1142995.1)

Further Notes

How Do You Implement SSO?

Supported SSO Mechanisms: Oracle Access Manager (OAM) Oracle Single Sign on (OSSO) Windows Native Authentication without IIS (Kerberos) Weblogic Default Asserter (Client Certificate Authentication)

Other supported features:

EBS ICX Cookie Mechanism Siteminder 6 via HTTP Header Go-URL with NQUser / NQPassword SSO via HTTP header & cookie (requires customisation of BI Config)

SSO Support (11.1.1.6)

With OAM you need an HTTP Proxy and Webgate to sit in front of WebLogic and perform the SSO redirection:

With SSO, the order of authenticators should be as follows: 1. Your LDAP authenticator (Sufficient) 2. Your SSO Asserter (Required) 3. WebLogic Embedded LDAP (Sufficient)

The LDAP authenticator is required for two reasons:

Perform authentication for non-SSO access (e.g. BI Office) Obtain Groups for users who have authenticated via SSO

Identity Providers

You also need to enable SSO within FMW Control: Specify SSO provider SSO Logon URL SSO Logoff URL

FMW Control

How Do You Implement SSO? OAM Install Steps

A tech note / white paper exists for implementing SSO with AD

Not for the faint hearted!

Active Directory / Kerberos

Error Messages That Could Mean a Million Things

What Do I Do When It All Goes Wrong?

1. Try a different user account

2. Try logging on with a system user account e.g. weblogic

3. Confirm you can log on to Weblogic Console and/or FMW Control (to confirm authentication is actually working)

4. Reset the user’s password

5. Archive and delete user from the catalog, restart Presentation Services and then unarchive user back into the catalog If issue is just with one user

Try different logins

6. Check OPMN services are running

7. Check database and listener are working to _BIPLATFORM and _MDS schemas (and make sure db passwords have not expired!):

Check Services

8. Check the Admin and Managed Server log files: …./user_projects/domains/bifoundation_domain/servers/AdminServer/log …./user_projects/domains/bifoundation_domain/servers/bi_server1/log

9. Check BI Server and BI Presentation Services logs: …./instances/instance1/diagnostics/log/OracleBIPresentationServices/coreapplcation …./instances/instance1/diagnostics/log/OracleBIBIServer/coreapplcation

Check Log Files

10. Check connectivity to LDAP / AD server is ok (you do this in WebLogic Console – make sure you can see the external Groups and Users)

11. Check HOSTS file has not changed, the very first entry should have IP address and server name

12. Refresh GUIDs

13. Restart WebLogic and OPMN Services

14. Restart WebLogic AdminServer, and then start all other process from within the WebLogic Admin Console and FMW Control (i.e. no command-line)

15. Restart whole server, then start up WebLogic and OPMN services

Further Actions

16. Delete the two “BISystemUser” user entries from Presentation Catalog, then restart services: [Catalog Root]\root\users

17. Delete the two “sawguidstate” entries from the “System” Presentation Catalog folder, then restart services: [Catalog Root]\root\system\mktgcache\[Hostname]

More Drastic Actions

18. Re-enter “BISystemUser” credentials in the Credential Store, then restart all services:

Last Ditch Attempts….

19. See Oracle Support article 1359798.1 to download Technote on troubleshooting OBIEE security: Oracle BI Enterprise Edition 11g Security - Troubleshooting.pdf

Oracle Technote

20. http://support.oracle.com

Contact Oracle!

Closing Thoughts

Security is by nature a complex topic – it is not just complicated in Oracle BI

There is obviously more work that can be done to simplify things in Oracle BI 11g but let’s try to be pleased with what we have: A huge array of security capability

Support for small implementations all the way up to very large

enterprise deployments

A common model across Fusion Middleware applications

Summary

Questions?

Helping Your Business Intelligence Journey

Heljula Security 123

userprojectsdomainsbifoundationdomainconfigfmwconfigsystem

peak indicators

frequently

multiple identity

11g security

10g security

bi presentation

oracle bi

Documents

Heljula SOA

Heljula Security 123

EE500 Series Endura Xpress - 123 Security Products

1U Series Standalone DVR User's Manual - 123 CCTV Security

Sesion 1 ECD-123-123

CNIT 123: Ch 7: Programming for Security Professionals

AudioCodes One Voice Operations Center Security Guidelines.....

123 + 56 22 + 88 22 + 89 123 +456 123 +654 456

storage.kopertis6.or.idstorage.kopertis6.or.id/kemahasiswaan...

Oracle Bi 11g Security - It is as Easy as 1-2-3 (Antony...

Assertions and Protocols for the OASIS Security … and...

ANALYSIS OF SECURITY ISSUES OF ATM -...

The Transport Layer Security (TLS) Protocol Version 1 ·...

Get the most out of your security logs using syslog-ng...Mar...

123\XXX-4-R 123\XXX-4-A 123\XXX-4

Oracle BI Suite Enterprise Edition “Advanced” RPD...