steps-to-configure-bi-applications-11.1.1.7.1-with-external-authentication (1).doc
TRANSCRIPT
Steps to Configure BI Applications 11.1.1.7.1 with External Authentication
Oracle Business Intelligence uses the Oracle WebLogic Server LDAP directory for authentication by default. The BI Applications 11.1.1.7.1 installation on the BI EE platform requires the use of the embedded Weblogic LDAP. Once BI Applications has been installed and set up following the BI Applications 11.1.1.7.1 Installation Guide, it can be configured to use an external LDAP for authentication.Configuring BI Applications 11.1.1.7.1 to use an external LDAP for authenticationPre-requisite: BI Applications 11.1.1.7.1 has been installed into the BI Domain where the default Weblogic embedded LDAP is used for authentication.NOTE: The BI Applications installation will fail if an external LDAP system is being used. If you have configured the BI system for use with an external LDAP (for example, Oracle Internet Directory) you must re-configure to use the default Weblogic embedded LDAP before you perform the BI Applications installation.The steps to configure the BI system including BI Applications to use an external authenticator are provided below:1. Configure the Business Intelligence system to use an external LDAP for authentication
By default, the BI system uses the Weblogic Server embedded LDAP. To configure BI to use an external authenticator, see the Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g Release 1 (11.1.1) > Chapter 3 Using Alternative Authentication Providers. 2. Create the BI Applications Administrator and BIAppsSystemUser users in the external LDAP system
In the external LDAP, create the BI Applications Administrator user. This user will be granted the BI Applications Administrator Duty and will be added to the ODI Repository with Supervisor privileges during script execution in step 4 below. This user will have full access to BI Applications Configuration Manager and to ODI Console and the ODI Repository.
In the external LDAP, create a user with name BIAppsSystemUser. This user credentials will be used by the ODI Java EE Agent deployed in Weblogic to connect to the ODI Repository. This user will also be created in the ODI repository with SUPERVISOR privileges during script execution in step 4 below.3. Update the oracle.biapps.system credential map to include the BIAppsSystemUser user
Update the oracle.biapps.system credential map to include the BIAppsSystemUser user as follows:
Run wlst.sh from MW_HOME/oracle_common/common/bin folder: connect('', '', 't3://:') updateCred(map='oracle.biapps.system', key='system', user='BIAppsSystemUser', password='', desc="Credential") where: is the password entered for the BIAppsSystemUser in step 2 above. 4. Run switch_odiToExternalAuth.py script
This script will associate the BI Applications Administrator Duty to the BI Applications Administrator user and will add the BI Applications Administrator and BIAppsSystemUser users to the ODI repository with Supervisor privileges. ODI will be configured to use the external LDAP for authentication.
Run the following command from MW_HOME/oracle_common/common/bin folder: ./wlst.sh /bifoundation/install/switch_odiToExternalAuth.py -- ADMIN_USER_NAME --DOMAIN_HOSTNAME -- DOMAIN_PORT --DOMAIN_HOME_PATH -- ODI_HOME_PATH --ODI_DB_CONN_STRING jdbc:oracle:thin:@ --ODI_DB_SCHEMA_USER --ODI_CONSOLE_USER_NAME -- OID_USER --LDAP_URL --USERBASE_PREFIX --GROUPBASE_PREFIX Where the ODI_CONSOLE_USER is the BI Applications Administrator User. Restart the ODI Managed Server using Weblogic Administration Console. 5. Configure ODI Studio Security files
The ODI Repository is configured for external authentication against your external LDAP server. ODI Studio must be configured to use the appropriate security files for authentication. The security files have to be regenerated for login to ODI Studio to be successful. a. Run the following command from BI_ORACLE_HOME/common/bin folder in order to generate the ODI client security artifacts. NOTE: Do not run wlst from any other location. ./wlst.sh /Oracle_BI1/bifoundation/install/createJPSArtifactsODI.py external -- ADMIN_USER_NAME --DOMAIN_HOSTNAME --DOMAIN_PORT --DOMAIN_HOME_PATH /user_projects/domains/bifoundation_domain> --OID_USER cn=orcladmin --LDAP_URL --USERBASE_PREFIX --GROUPBASE_PREFIX Where:the external parameter is used to configure to the external LDAP system.--ADMIN_USER_NAME : Weblogic Administrator user Name --DOMAIN_HOSTNAME : BI Domain host name --DOMAIN_PORT: BI Domain port --DOMAIN_HOME_PATH : BI Domain home path --OID_USER: OID user, e.g. cn=orcladmin--LDAP_URL: external ldap url; format: ldap://host:port --USERBASE_PREFIX : user base prefix; where users will be searched; e.g. cn=users,dc=us,dc=oracle,dc=com--GROUPBASE_PREFIX : user group prefix; e.g. cn=groups,dc=us,dc=oracle,dc=comExample: ./wlst.sh /scratch/mw6826/Oracle_BI1/bifoundation/install/createJPSArtifactsODI.py external --ADMIN_USER_NAME Administrator --DOMAIN_HOSTNAME slc01apw.us.oracle.com --DOMAIN_PORT 7001 --DOMAIN_HOME_PATH /scratch/mw6826/user_projects/domains/bifoundation_domain --OID_USER cn=orcladmin -- LDAP_URL ldap://scl14405.us.oracle.com:3060 --USERBASE_PREFIX cn=users,dc=us,dc=oracle,dc=com --GROUPBASE_PREFIX cn=groups,dc=us,dc=oracle,dc=comb. Copy the jps-config-jse.xml file and cwallet.sso files from DOMAIN_HOME_PATH/odi-client-config/external to ODI_Home/oracledi/client/odi/bin on all machines where ODI Studio clients have been installed.c. Open the ODI_Home/oracledi/client/odi/bin/odi.conf file for editing:
Edit the line starting with AddVMOption -Doracle.security.jps.config to point to the jps-config-jse.xml file and location:AddVMOption -Doracle.security.jps.config=./jps-config-jse.xml(where jps-config-jse.xml and cwallet.sso have been copied to the ODI_Home/oracledi/client/odi/bin directory)