Post on 26-Apr-2020
ltInsert Picture Heregt
Securing Your BI Environment
Bryan Wise
Oracle Public Sector
Goals of Securing an Oracle BI Solution
1 Provide a consistent security experience on a
variety of different platforms for developers and
administrators
2 Integrate third party directory services (AD LDAP)
with built-in management capabilities
3 Provide application roles and groups for specific
security requirements
2
Oracle BI Security
3
Authentication Authorization Permissions
Oracle BI Security
4
Authentication Authorization Permissions
WebLogic LDAP
Oracle Internet Directory
LDAP v3
MS Active Directory
External Database Table
Oracle Enterprise Manager
Fusion Middleware Control
Oracle Business Intelligence
Administration Console
Authentication Users and Groups
bull Embedded WebLogic LDAP for lt 1000 users
bull Options to use non-Oracle solutions ie Microsoft Active
Directory database table Oracle Internet Directory
bull No synching of user accounts needed with 3rd party solutions
bull Can leverage multiple chained authentication steps
bull Identity Management administrator role
5
Database Table
LDAP
MS AD
WebLogic BI Administration
Authorization Roles amp Policies
bull Role-based access controls functional roles within Oracle BI
bull 3 OOTB roles BIAdministrator BIAuthor BIConsumer
bull Map application roles to existing corporate LDAP users amp groups
bull Responsibility of the Oracle BI application administrator
6
Database Table
LDAP
MS AD
WebLogic BI Administration Oracle BI
Permissions Oracle BI Functionality
bull Fine grained control of BI application functionality (what
components can I access what can I do within that component)
bull Maps to application roles
bull Responsibility managed by Oracle BI Administrators
7
Database Table
LDAP
MS AD
WebLogic BI Administration
Oracle BI Security Components
8
The right tool for the right responsibility
LDAP Server
(Users and Groups
Key Concepts
Identity Store
Policy Store
Credential Store
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
System Credentials
Application Roles Application Policies
Users Groups
Key Concepts ndash Default Configuration
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File File WLS LDAP
Key Concepts ndash Common
Configuration
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File External LDAP External LDAP
Key Concepts ndash Case Study
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File File Database Table
Common Security Setup
bull Oracle BI 11g using Fusion Middleware Security
bull External LDAP (OID AD) for users and groups
bull Database Table Authentication
bull Internal Security (not recommended for production)
bull External LDAP for users Database Tables for groups (new in
11116)
bull Oracle BI 11g using 10g-sytle security (init-blocks)
bull External LDAP for users Database Tables for groups
bull Database Table Authentication
bull RPD users (not recommended for production)
13
Case Study Database Table
Authentication
bull Business background
bull Architecture
bull DB setup
bull BI Setup
bull Diagnostics
14
15
The PSBI Cloud demo environment
bull BIEE using table based authentication and
authorization
bull Users
bull Groups
bull Demos ndash collection of groups required for a demo
bull APEX application to manage users groups
bull APEX application uses the same table based
authentication but different authorization
bull Users
bull User types (customer partner employee admin)
16
APEX functionality
bull Oracle Employees
bull Request an Account
bull Reset their password
bull Find a lost username
bull Configure their demo
bull Setup Workshops
bull Provision Workshop Users
bull Customers (workshop attendees) and Partners
bull Reset their password
bull Download workshop material
bull System Administrators
bull Approve account requests
bull Create Partner Accounts
Architecture Diagram
17
Database
Identity Store Schema
Authentication Package
APEX
Custom Authentication
Scheme
Security Application
BI
FMW Security
WebLogic
SQL-Authenticator
18
Tables Required
19
Columns of interest
bull APP_USERS
bull Password ndash stores hashed password
bull Exp_date ndash must be greater than sysdate to login to BI or APEX
bull User_Type_id ndash determines authorization in APEX application
bull Demo
bull Usable_by_id ndash determines what type of user can use this demo
bull logic built into the auth_utilusable function
bull Bad design ndash should have created a user_type to demo table
bull Groups
bull Group_type_id ndash used to distinguish between groups and web
groups
20
PLSQL Package
CREATE OR REPLACE PACKAGE AUTH_UTILldquo AS
PROCEDURE valid_user2
( p_username IN VARCHAR2 p_password IN VARCHAR2)
FUNCTION valid_user
(p_username IN VARCHAR2 p_password IN VARCHAR2)
RETURN BOOLEAN
PROCEDURE set_password
(p_username IN VARCHAR2 p_password IN VARCHAR2)
PROCEDURE login
(p_username IN VARCHAR2 p_password IN VARCHAR2
p_session_id IN VARCHAR2 p_flow_page IN VARCHAR2 )
FUNCTION usable
( p_item_user_type_id IN NUMBERp_user_user_type_id IN NUMBER)
RETURN VARCHAR2
FUNCTION complex_password
( p_user_name IN VARCHAR2 p_old_password IN VARCHAR2
p_new_password IN VARCHAR2)
RETURN BOOLEAN
END AUTH_UTIL
21
Hash Function
FUNCTION hash_password(p_password IN VARCHAR2)
RETURN VARCHAR2
AS
v_hash_algorithm pls_integer
v_return VARCHAR2(4000)
BEGIN
v_hash_algorithm = dbms_cryptohash_sh1
v_return = SHA-1|| utl_rawcast_to_varchar2( UTL_ENCODEBASE64_ENCODE( dbms_cryptohash( UTL_I18NSTRING_TO_RAW (p_password AL32UTF8)v_hash_algorithm)))
RETURN v_return
END
WebLogic defaults to base 64 encoded SHA-1 hashed password
APEX security setup
22
APEX Code
23
function valid_user (p_username in varchar2 p_password in varchar2) return boolean AS
BEGIN
valid_user2(p_username p_password)
return true
exception when others then return false
END valid_user
procedure valid_user2 (p_username in varchar2 p_password in varchar2) AS
v_dummy varchar2(1)
BEGIN
select 1
into v_dummy
from app_users
where upper(user_name) = upper(p_username)
and password = hash_password(p_password)
exception when NO_DATA_FOUND then
raise_application_error(-20000Invalid usernamepassword)
END valid_user2
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
Goals of Securing an Oracle BI Solution
1 Provide a consistent security experience on a
variety of different platforms for developers and
administrators
2 Integrate third party directory services (AD LDAP)
with built-in management capabilities
3 Provide application roles and groups for specific
security requirements
2
Oracle BI Security
3
Authentication Authorization Permissions
Oracle BI Security
4
Authentication Authorization Permissions
WebLogic LDAP
Oracle Internet Directory
LDAP v3
MS Active Directory
External Database Table
Oracle Enterprise Manager
Fusion Middleware Control
Oracle Business Intelligence
Administration Console
Authentication Users and Groups
bull Embedded WebLogic LDAP for lt 1000 users
bull Options to use non-Oracle solutions ie Microsoft Active
Directory database table Oracle Internet Directory
bull No synching of user accounts needed with 3rd party solutions
bull Can leverage multiple chained authentication steps
bull Identity Management administrator role
5
Database Table
LDAP
MS AD
WebLogic BI Administration
Authorization Roles amp Policies
bull Role-based access controls functional roles within Oracle BI
bull 3 OOTB roles BIAdministrator BIAuthor BIConsumer
bull Map application roles to existing corporate LDAP users amp groups
bull Responsibility of the Oracle BI application administrator
6
Database Table
LDAP
MS AD
WebLogic BI Administration Oracle BI
Permissions Oracle BI Functionality
bull Fine grained control of BI application functionality (what
components can I access what can I do within that component)
bull Maps to application roles
bull Responsibility managed by Oracle BI Administrators
7
Database Table
LDAP
MS AD
WebLogic BI Administration
Oracle BI Security Components
8
The right tool for the right responsibility
LDAP Server
(Users and Groups
Key Concepts
Identity Store
Policy Store
Credential Store
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
System Credentials
Application Roles Application Policies
Users Groups
Key Concepts ndash Default Configuration
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File File WLS LDAP
Key Concepts ndash Common
Configuration
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File External LDAP External LDAP
Key Concepts ndash Case Study
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File File Database Table
Common Security Setup
bull Oracle BI 11g using Fusion Middleware Security
bull External LDAP (OID AD) for users and groups
bull Database Table Authentication
bull Internal Security (not recommended for production)
bull External LDAP for users Database Tables for groups (new in
11116)
bull Oracle BI 11g using 10g-sytle security (init-blocks)
bull External LDAP for users Database Tables for groups
bull Database Table Authentication
bull RPD users (not recommended for production)
13
Case Study Database Table
Authentication
bull Business background
bull Architecture
bull DB setup
bull BI Setup
bull Diagnostics
14
15
The PSBI Cloud demo environment
bull BIEE using table based authentication and
authorization
bull Users
bull Groups
bull Demos ndash collection of groups required for a demo
bull APEX application to manage users groups
bull APEX application uses the same table based
authentication but different authorization
bull Users
bull User types (customer partner employee admin)
16
APEX functionality
bull Oracle Employees
bull Request an Account
bull Reset their password
bull Find a lost username
bull Configure their demo
bull Setup Workshops
bull Provision Workshop Users
bull Customers (workshop attendees) and Partners
bull Reset their password
bull Download workshop material
bull System Administrators
bull Approve account requests
bull Create Partner Accounts
Architecture Diagram
17
Database
Identity Store Schema
Authentication Package
APEX
Custom Authentication
Scheme
Security Application
BI
FMW Security
WebLogic
SQL-Authenticator
18
Tables Required
19
Columns of interest
bull APP_USERS
bull Password ndash stores hashed password
bull Exp_date ndash must be greater than sysdate to login to BI or APEX
bull User_Type_id ndash determines authorization in APEX application
bull Demo
bull Usable_by_id ndash determines what type of user can use this demo
bull logic built into the auth_utilusable function
bull Bad design ndash should have created a user_type to demo table
bull Groups
bull Group_type_id ndash used to distinguish between groups and web
groups
20
PLSQL Package
CREATE OR REPLACE PACKAGE AUTH_UTILldquo AS
PROCEDURE valid_user2
( p_username IN VARCHAR2 p_password IN VARCHAR2)
FUNCTION valid_user
(p_username IN VARCHAR2 p_password IN VARCHAR2)
RETURN BOOLEAN
PROCEDURE set_password
(p_username IN VARCHAR2 p_password IN VARCHAR2)
PROCEDURE login
(p_username IN VARCHAR2 p_password IN VARCHAR2
p_session_id IN VARCHAR2 p_flow_page IN VARCHAR2 )
FUNCTION usable
( p_item_user_type_id IN NUMBERp_user_user_type_id IN NUMBER)
RETURN VARCHAR2
FUNCTION complex_password
( p_user_name IN VARCHAR2 p_old_password IN VARCHAR2
p_new_password IN VARCHAR2)
RETURN BOOLEAN
END AUTH_UTIL
21
Hash Function
FUNCTION hash_password(p_password IN VARCHAR2)
RETURN VARCHAR2
AS
v_hash_algorithm pls_integer
v_return VARCHAR2(4000)
BEGIN
v_hash_algorithm = dbms_cryptohash_sh1
v_return = SHA-1|| utl_rawcast_to_varchar2( UTL_ENCODEBASE64_ENCODE( dbms_cryptohash( UTL_I18NSTRING_TO_RAW (p_password AL32UTF8)v_hash_algorithm)))
RETURN v_return
END
WebLogic defaults to base 64 encoded SHA-1 hashed password
APEX security setup
22
APEX Code
23
function valid_user (p_username in varchar2 p_password in varchar2) return boolean AS
BEGIN
valid_user2(p_username p_password)
return true
exception when others then return false
END valid_user
procedure valid_user2 (p_username in varchar2 p_password in varchar2) AS
v_dummy varchar2(1)
BEGIN
select 1
into v_dummy
from app_users
where upper(user_name) = upper(p_username)
and password = hash_password(p_password)
exception when NO_DATA_FOUND then
raise_application_error(-20000Invalid usernamepassword)
END valid_user2
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
Oracle BI Security
3
Authentication Authorization Permissions
Oracle BI Security
4
Authentication Authorization Permissions
WebLogic LDAP
Oracle Internet Directory
LDAP v3
MS Active Directory
External Database Table
Oracle Enterprise Manager
Fusion Middleware Control
Oracle Business Intelligence
Administration Console
Authentication Users and Groups
bull Embedded WebLogic LDAP for lt 1000 users
bull Options to use non-Oracle solutions ie Microsoft Active
Directory database table Oracle Internet Directory
bull No synching of user accounts needed with 3rd party solutions
bull Can leverage multiple chained authentication steps
bull Identity Management administrator role
5
Database Table
LDAP
MS AD
WebLogic BI Administration
Authorization Roles amp Policies
bull Role-based access controls functional roles within Oracle BI
bull 3 OOTB roles BIAdministrator BIAuthor BIConsumer
bull Map application roles to existing corporate LDAP users amp groups
bull Responsibility of the Oracle BI application administrator
6
Database Table
LDAP
MS AD
WebLogic BI Administration Oracle BI
Permissions Oracle BI Functionality
bull Fine grained control of BI application functionality (what
components can I access what can I do within that component)
bull Maps to application roles
bull Responsibility managed by Oracle BI Administrators
7
Database Table
LDAP
MS AD
WebLogic BI Administration
Oracle BI Security Components
8
The right tool for the right responsibility
LDAP Server
(Users and Groups
Key Concepts
Identity Store
Policy Store
Credential Store
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
System Credentials
Application Roles Application Policies
Users Groups
Key Concepts ndash Default Configuration
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File File WLS LDAP
Key Concepts ndash Common
Configuration
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File External LDAP External LDAP
Key Concepts ndash Case Study
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File File Database Table
Common Security Setup
bull Oracle BI 11g using Fusion Middleware Security
bull External LDAP (OID AD) for users and groups
bull Database Table Authentication
bull Internal Security (not recommended for production)
bull External LDAP for users Database Tables for groups (new in
11116)
bull Oracle BI 11g using 10g-sytle security (init-blocks)
bull External LDAP for users Database Tables for groups
bull Database Table Authentication
bull RPD users (not recommended for production)
13
Case Study Database Table
Authentication
bull Business background
bull Architecture
bull DB setup
bull BI Setup
bull Diagnostics
14
15
The PSBI Cloud demo environment
bull BIEE using table based authentication and
authorization
bull Users
bull Groups
bull Demos ndash collection of groups required for a demo
bull APEX application to manage users groups
bull APEX application uses the same table based
authentication but different authorization
bull Users
bull User types (customer partner employee admin)
16
APEX functionality
bull Oracle Employees
bull Request an Account
bull Reset their password
bull Find a lost username
bull Configure their demo
bull Setup Workshops
bull Provision Workshop Users
bull Customers (workshop attendees) and Partners
bull Reset their password
bull Download workshop material
bull System Administrators
bull Approve account requests
bull Create Partner Accounts
Architecture Diagram
17
Database
Identity Store Schema
Authentication Package
APEX
Custom Authentication
Scheme
Security Application
BI
FMW Security
WebLogic
SQL-Authenticator
18
Tables Required
19
Columns of interest
bull APP_USERS
bull Password ndash stores hashed password
bull Exp_date ndash must be greater than sysdate to login to BI or APEX
bull User_Type_id ndash determines authorization in APEX application
bull Demo
bull Usable_by_id ndash determines what type of user can use this demo
bull logic built into the auth_utilusable function
bull Bad design ndash should have created a user_type to demo table
bull Groups
bull Group_type_id ndash used to distinguish between groups and web
groups
20
PLSQL Package
CREATE OR REPLACE PACKAGE AUTH_UTILldquo AS
PROCEDURE valid_user2
( p_username IN VARCHAR2 p_password IN VARCHAR2)
FUNCTION valid_user
(p_username IN VARCHAR2 p_password IN VARCHAR2)
RETURN BOOLEAN
PROCEDURE set_password
(p_username IN VARCHAR2 p_password IN VARCHAR2)
PROCEDURE login
(p_username IN VARCHAR2 p_password IN VARCHAR2
p_session_id IN VARCHAR2 p_flow_page IN VARCHAR2 )
FUNCTION usable
( p_item_user_type_id IN NUMBERp_user_user_type_id IN NUMBER)
RETURN VARCHAR2
FUNCTION complex_password
( p_user_name IN VARCHAR2 p_old_password IN VARCHAR2
p_new_password IN VARCHAR2)
RETURN BOOLEAN
END AUTH_UTIL
21
Hash Function
FUNCTION hash_password(p_password IN VARCHAR2)
RETURN VARCHAR2
AS
v_hash_algorithm pls_integer
v_return VARCHAR2(4000)
BEGIN
v_hash_algorithm = dbms_cryptohash_sh1
v_return = SHA-1|| utl_rawcast_to_varchar2( UTL_ENCODEBASE64_ENCODE( dbms_cryptohash( UTL_I18NSTRING_TO_RAW (p_password AL32UTF8)v_hash_algorithm)))
RETURN v_return
END
WebLogic defaults to base 64 encoded SHA-1 hashed password
APEX security setup
22
APEX Code
23
function valid_user (p_username in varchar2 p_password in varchar2) return boolean AS
BEGIN
valid_user2(p_username p_password)
return true
exception when others then return false
END valid_user
procedure valid_user2 (p_username in varchar2 p_password in varchar2) AS
v_dummy varchar2(1)
BEGIN
select 1
into v_dummy
from app_users
where upper(user_name) = upper(p_username)
and password = hash_password(p_password)
exception when NO_DATA_FOUND then
raise_application_error(-20000Invalid usernamepassword)
END valid_user2
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
Oracle BI Security
4
Authentication Authorization Permissions
WebLogic LDAP
Oracle Internet Directory
LDAP v3
MS Active Directory
External Database Table
Oracle Enterprise Manager
Fusion Middleware Control
Oracle Business Intelligence
Administration Console
Authentication Users and Groups
bull Embedded WebLogic LDAP for lt 1000 users
bull Options to use non-Oracle solutions ie Microsoft Active
Directory database table Oracle Internet Directory
bull No synching of user accounts needed with 3rd party solutions
bull Can leverage multiple chained authentication steps
bull Identity Management administrator role
5
Database Table
LDAP
MS AD
WebLogic BI Administration
Authorization Roles amp Policies
bull Role-based access controls functional roles within Oracle BI
bull 3 OOTB roles BIAdministrator BIAuthor BIConsumer
bull Map application roles to existing corporate LDAP users amp groups
bull Responsibility of the Oracle BI application administrator
6
Database Table
LDAP
MS AD
WebLogic BI Administration Oracle BI
Permissions Oracle BI Functionality
bull Fine grained control of BI application functionality (what
components can I access what can I do within that component)
bull Maps to application roles
bull Responsibility managed by Oracle BI Administrators
7
Database Table
LDAP
MS AD
WebLogic BI Administration
Oracle BI Security Components
8
The right tool for the right responsibility
LDAP Server
(Users and Groups
Key Concepts
Identity Store
Policy Store
Credential Store
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
System Credentials
Application Roles Application Policies
Users Groups
Key Concepts ndash Default Configuration
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File File WLS LDAP
Key Concepts ndash Common
Configuration
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File External LDAP External LDAP
Key Concepts ndash Case Study
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File File Database Table
Common Security Setup
bull Oracle BI 11g using Fusion Middleware Security
bull External LDAP (OID AD) for users and groups
bull Database Table Authentication
bull Internal Security (not recommended for production)
bull External LDAP for users Database Tables for groups (new in
11116)
bull Oracle BI 11g using 10g-sytle security (init-blocks)
bull External LDAP for users Database Tables for groups
bull Database Table Authentication
bull RPD users (not recommended for production)
13
Case Study Database Table
Authentication
bull Business background
bull Architecture
bull DB setup
bull BI Setup
bull Diagnostics
14
15
The PSBI Cloud demo environment
bull BIEE using table based authentication and
authorization
bull Users
bull Groups
bull Demos ndash collection of groups required for a demo
bull APEX application to manage users groups
bull APEX application uses the same table based
authentication but different authorization
bull Users
bull User types (customer partner employee admin)
16
APEX functionality
bull Oracle Employees
bull Request an Account
bull Reset their password
bull Find a lost username
bull Configure their demo
bull Setup Workshops
bull Provision Workshop Users
bull Customers (workshop attendees) and Partners
bull Reset their password
bull Download workshop material
bull System Administrators
bull Approve account requests
bull Create Partner Accounts
Architecture Diagram
17
Database
Identity Store Schema
Authentication Package
APEX
Custom Authentication
Scheme
Security Application
BI
FMW Security
WebLogic
SQL-Authenticator
18
Tables Required
19
Columns of interest
bull APP_USERS
bull Password ndash stores hashed password
bull Exp_date ndash must be greater than sysdate to login to BI or APEX
bull User_Type_id ndash determines authorization in APEX application
bull Demo
bull Usable_by_id ndash determines what type of user can use this demo
bull logic built into the auth_utilusable function
bull Bad design ndash should have created a user_type to demo table
bull Groups
bull Group_type_id ndash used to distinguish between groups and web
groups
20
PLSQL Package
CREATE OR REPLACE PACKAGE AUTH_UTILldquo AS
PROCEDURE valid_user2
( p_username IN VARCHAR2 p_password IN VARCHAR2)
FUNCTION valid_user
(p_username IN VARCHAR2 p_password IN VARCHAR2)
RETURN BOOLEAN
PROCEDURE set_password
(p_username IN VARCHAR2 p_password IN VARCHAR2)
PROCEDURE login
(p_username IN VARCHAR2 p_password IN VARCHAR2
p_session_id IN VARCHAR2 p_flow_page IN VARCHAR2 )
FUNCTION usable
( p_item_user_type_id IN NUMBERp_user_user_type_id IN NUMBER)
RETURN VARCHAR2
FUNCTION complex_password
( p_user_name IN VARCHAR2 p_old_password IN VARCHAR2
p_new_password IN VARCHAR2)
RETURN BOOLEAN
END AUTH_UTIL
21
Hash Function
FUNCTION hash_password(p_password IN VARCHAR2)
RETURN VARCHAR2
AS
v_hash_algorithm pls_integer
v_return VARCHAR2(4000)
BEGIN
v_hash_algorithm = dbms_cryptohash_sh1
v_return = SHA-1|| utl_rawcast_to_varchar2( UTL_ENCODEBASE64_ENCODE( dbms_cryptohash( UTL_I18NSTRING_TO_RAW (p_password AL32UTF8)v_hash_algorithm)))
RETURN v_return
END
WebLogic defaults to base 64 encoded SHA-1 hashed password
APEX security setup
22
APEX Code
23
function valid_user (p_username in varchar2 p_password in varchar2) return boolean AS
BEGIN
valid_user2(p_username p_password)
return true
exception when others then return false
END valid_user
procedure valid_user2 (p_username in varchar2 p_password in varchar2) AS
v_dummy varchar2(1)
BEGIN
select 1
into v_dummy
from app_users
where upper(user_name) = upper(p_username)
and password = hash_password(p_password)
exception when NO_DATA_FOUND then
raise_application_error(-20000Invalid usernamepassword)
END valid_user2
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
Authentication Users and Groups
bull Embedded WebLogic LDAP for lt 1000 users
bull Options to use non-Oracle solutions ie Microsoft Active
Directory database table Oracle Internet Directory
bull No synching of user accounts needed with 3rd party solutions
bull Can leverage multiple chained authentication steps
bull Identity Management administrator role
5
Database Table
LDAP
MS AD
WebLogic BI Administration
Authorization Roles amp Policies
bull Role-based access controls functional roles within Oracle BI
bull 3 OOTB roles BIAdministrator BIAuthor BIConsumer
bull Map application roles to existing corporate LDAP users amp groups
bull Responsibility of the Oracle BI application administrator
6
Database Table
LDAP
MS AD
WebLogic BI Administration Oracle BI
Permissions Oracle BI Functionality
bull Fine grained control of BI application functionality (what
components can I access what can I do within that component)
bull Maps to application roles
bull Responsibility managed by Oracle BI Administrators
7
Database Table
LDAP
MS AD
WebLogic BI Administration
Oracle BI Security Components
8
The right tool for the right responsibility
LDAP Server
(Users and Groups
Key Concepts
Identity Store
Policy Store
Credential Store
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
System Credentials
Application Roles Application Policies
Users Groups
Key Concepts ndash Default Configuration
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File File WLS LDAP
Key Concepts ndash Common
Configuration
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File External LDAP External LDAP
Key Concepts ndash Case Study
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File File Database Table
Common Security Setup
bull Oracle BI 11g using Fusion Middleware Security
bull External LDAP (OID AD) for users and groups
bull Database Table Authentication
bull Internal Security (not recommended for production)
bull External LDAP for users Database Tables for groups (new in
11116)
bull Oracle BI 11g using 10g-sytle security (init-blocks)
bull External LDAP for users Database Tables for groups
bull Database Table Authentication
bull RPD users (not recommended for production)
13
Case Study Database Table
Authentication
bull Business background
bull Architecture
bull DB setup
bull BI Setup
bull Diagnostics
14
15
The PSBI Cloud demo environment
bull BIEE using table based authentication and
authorization
bull Users
bull Groups
bull Demos ndash collection of groups required for a demo
bull APEX application to manage users groups
bull APEX application uses the same table based
authentication but different authorization
bull Users
bull User types (customer partner employee admin)
16
APEX functionality
bull Oracle Employees
bull Request an Account
bull Reset their password
bull Find a lost username
bull Configure their demo
bull Setup Workshops
bull Provision Workshop Users
bull Customers (workshop attendees) and Partners
bull Reset their password
bull Download workshop material
bull System Administrators
bull Approve account requests
bull Create Partner Accounts
Architecture Diagram
17
Database
Identity Store Schema
Authentication Package
APEX
Custom Authentication
Scheme
Security Application
BI
FMW Security
WebLogic
SQL-Authenticator
18
Tables Required
19
Columns of interest
bull APP_USERS
bull Password ndash stores hashed password
bull Exp_date ndash must be greater than sysdate to login to BI or APEX
bull User_Type_id ndash determines authorization in APEX application
bull Demo
bull Usable_by_id ndash determines what type of user can use this demo
bull logic built into the auth_utilusable function
bull Bad design ndash should have created a user_type to demo table
bull Groups
bull Group_type_id ndash used to distinguish between groups and web
groups
20
PLSQL Package
CREATE OR REPLACE PACKAGE AUTH_UTILldquo AS
PROCEDURE valid_user2
( p_username IN VARCHAR2 p_password IN VARCHAR2)
FUNCTION valid_user
(p_username IN VARCHAR2 p_password IN VARCHAR2)
RETURN BOOLEAN
PROCEDURE set_password
(p_username IN VARCHAR2 p_password IN VARCHAR2)
PROCEDURE login
(p_username IN VARCHAR2 p_password IN VARCHAR2
p_session_id IN VARCHAR2 p_flow_page IN VARCHAR2 )
FUNCTION usable
( p_item_user_type_id IN NUMBERp_user_user_type_id IN NUMBER)
RETURN VARCHAR2
FUNCTION complex_password
( p_user_name IN VARCHAR2 p_old_password IN VARCHAR2
p_new_password IN VARCHAR2)
RETURN BOOLEAN
END AUTH_UTIL
21
Hash Function
FUNCTION hash_password(p_password IN VARCHAR2)
RETURN VARCHAR2
AS
v_hash_algorithm pls_integer
v_return VARCHAR2(4000)
BEGIN
v_hash_algorithm = dbms_cryptohash_sh1
v_return = SHA-1|| utl_rawcast_to_varchar2( UTL_ENCODEBASE64_ENCODE( dbms_cryptohash( UTL_I18NSTRING_TO_RAW (p_password AL32UTF8)v_hash_algorithm)))
RETURN v_return
END
WebLogic defaults to base 64 encoded SHA-1 hashed password
APEX security setup
22
APEX Code
23
function valid_user (p_username in varchar2 p_password in varchar2) return boolean AS
BEGIN
valid_user2(p_username p_password)
return true
exception when others then return false
END valid_user
procedure valid_user2 (p_username in varchar2 p_password in varchar2) AS
v_dummy varchar2(1)
BEGIN
select 1
into v_dummy
from app_users
where upper(user_name) = upper(p_username)
and password = hash_password(p_password)
exception when NO_DATA_FOUND then
raise_application_error(-20000Invalid usernamepassword)
END valid_user2
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
Authorization Roles amp Policies
bull Role-based access controls functional roles within Oracle BI
bull 3 OOTB roles BIAdministrator BIAuthor BIConsumer
bull Map application roles to existing corporate LDAP users amp groups
bull Responsibility of the Oracle BI application administrator
6
Database Table
LDAP
MS AD
WebLogic BI Administration Oracle BI
Permissions Oracle BI Functionality
bull Fine grained control of BI application functionality (what
components can I access what can I do within that component)
bull Maps to application roles
bull Responsibility managed by Oracle BI Administrators
7
Database Table
LDAP
MS AD
WebLogic BI Administration
Oracle BI Security Components
8
The right tool for the right responsibility
LDAP Server
(Users and Groups
Key Concepts
Identity Store
Policy Store
Credential Store
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
System Credentials
Application Roles Application Policies
Users Groups
Key Concepts ndash Default Configuration
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File File WLS LDAP
Key Concepts ndash Common
Configuration
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File External LDAP External LDAP
Key Concepts ndash Case Study
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File File Database Table
Common Security Setup
bull Oracle BI 11g using Fusion Middleware Security
bull External LDAP (OID AD) for users and groups
bull Database Table Authentication
bull Internal Security (not recommended for production)
bull External LDAP for users Database Tables for groups (new in
11116)
bull Oracle BI 11g using 10g-sytle security (init-blocks)
bull External LDAP for users Database Tables for groups
bull Database Table Authentication
bull RPD users (not recommended for production)
13
Case Study Database Table
Authentication
bull Business background
bull Architecture
bull DB setup
bull BI Setup
bull Diagnostics
14
15
The PSBI Cloud demo environment
bull BIEE using table based authentication and
authorization
bull Users
bull Groups
bull Demos ndash collection of groups required for a demo
bull APEX application to manage users groups
bull APEX application uses the same table based
authentication but different authorization
bull Users
bull User types (customer partner employee admin)
16
APEX functionality
bull Oracle Employees
bull Request an Account
bull Reset their password
bull Find a lost username
bull Configure their demo
bull Setup Workshops
bull Provision Workshop Users
bull Customers (workshop attendees) and Partners
bull Reset their password
bull Download workshop material
bull System Administrators
bull Approve account requests
bull Create Partner Accounts
Architecture Diagram
17
Database
Identity Store Schema
Authentication Package
APEX
Custom Authentication
Scheme
Security Application
BI
FMW Security
WebLogic
SQL-Authenticator
18
Tables Required
19
Columns of interest
bull APP_USERS
bull Password ndash stores hashed password
bull Exp_date ndash must be greater than sysdate to login to BI or APEX
bull User_Type_id ndash determines authorization in APEX application
bull Demo
bull Usable_by_id ndash determines what type of user can use this demo
bull logic built into the auth_utilusable function
bull Bad design ndash should have created a user_type to demo table
bull Groups
bull Group_type_id ndash used to distinguish between groups and web
groups
20
PLSQL Package
CREATE OR REPLACE PACKAGE AUTH_UTILldquo AS
PROCEDURE valid_user2
( p_username IN VARCHAR2 p_password IN VARCHAR2)
FUNCTION valid_user
(p_username IN VARCHAR2 p_password IN VARCHAR2)
RETURN BOOLEAN
PROCEDURE set_password
(p_username IN VARCHAR2 p_password IN VARCHAR2)
PROCEDURE login
(p_username IN VARCHAR2 p_password IN VARCHAR2
p_session_id IN VARCHAR2 p_flow_page IN VARCHAR2 )
FUNCTION usable
( p_item_user_type_id IN NUMBERp_user_user_type_id IN NUMBER)
RETURN VARCHAR2
FUNCTION complex_password
( p_user_name IN VARCHAR2 p_old_password IN VARCHAR2
p_new_password IN VARCHAR2)
RETURN BOOLEAN
END AUTH_UTIL
21
Hash Function
FUNCTION hash_password(p_password IN VARCHAR2)
RETURN VARCHAR2
AS
v_hash_algorithm pls_integer
v_return VARCHAR2(4000)
BEGIN
v_hash_algorithm = dbms_cryptohash_sh1
v_return = SHA-1|| utl_rawcast_to_varchar2( UTL_ENCODEBASE64_ENCODE( dbms_cryptohash( UTL_I18NSTRING_TO_RAW (p_password AL32UTF8)v_hash_algorithm)))
RETURN v_return
END
WebLogic defaults to base 64 encoded SHA-1 hashed password
APEX security setup
22
APEX Code
23
function valid_user (p_username in varchar2 p_password in varchar2) return boolean AS
BEGIN
valid_user2(p_username p_password)
return true
exception when others then return false
END valid_user
procedure valid_user2 (p_username in varchar2 p_password in varchar2) AS
v_dummy varchar2(1)
BEGIN
select 1
into v_dummy
from app_users
where upper(user_name) = upper(p_username)
and password = hash_password(p_password)
exception when NO_DATA_FOUND then
raise_application_error(-20000Invalid usernamepassword)
END valid_user2
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
Permissions Oracle BI Functionality
bull Fine grained control of BI application functionality (what
components can I access what can I do within that component)
bull Maps to application roles
bull Responsibility managed by Oracle BI Administrators
7
Database Table
LDAP
MS AD
WebLogic BI Administration
Oracle BI Security Components
8
The right tool for the right responsibility
LDAP Server
(Users and Groups
Key Concepts
Identity Store
Policy Store
Credential Store
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
System Credentials
Application Roles Application Policies
Users Groups
Key Concepts ndash Default Configuration
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File File WLS LDAP
Key Concepts ndash Common
Configuration
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File External LDAP External LDAP
Key Concepts ndash Case Study
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File File Database Table
Common Security Setup
bull Oracle BI 11g using Fusion Middleware Security
bull External LDAP (OID AD) for users and groups
bull Database Table Authentication
bull Internal Security (not recommended for production)
bull External LDAP for users Database Tables for groups (new in
11116)
bull Oracle BI 11g using 10g-sytle security (init-blocks)
bull External LDAP for users Database Tables for groups
bull Database Table Authentication
bull RPD users (not recommended for production)
13
Case Study Database Table
Authentication
bull Business background
bull Architecture
bull DB setup
bull BI Setup
bull Diagnostics
14
15
The PSBI Cloud demo environment
bull BIEE using table based authentication and
authorization
bull Users
bull Groups
bull Demos ndash collection of groups required for a demo
bull APEX application to manage users groups
bull APEX application uses the same table based
authentication but different authorization
bull Users
bull User types (customer partner employee admin)
16
APEX functionality
bull Oracle Employees
bull Request an Account
bull Reset their password
bull Find a lost username
bull Configure their demo
bull Setup Workshops
bull Provision Workshop Users
bull Customers (workshop attendees) and Partners
bull Reset their password
bull Download workshop material
bull System Administrators
bull Approve account requests
bull Create Partner Accounts
Architecture Diagram
17
Database
Identity Store Schema
Authentication Package
APEX
Custom Authentication
Scheme
Security Application
BI
FMW Security
WebLogic
SQL-Authenticator
18
Tables Required
19
Columns of interest
bull APP_USERS
bull Password ndash stores hashed password
bull Exp_date ndash must be greater than sysdate to login to BI or APEX
bull User_Type_id ndash determines authorization in APEX application
bull Demo
bull Usable_by_id ndash determines what type of user can use this demo
bull logic built into the auth_utilusable function
bull Bad design ndash should have created a user_type to demo table
bull Groups
bull Group_type_id ndash used to distinguish between groups and web
groups
20
PLSQL Package
CREATE OR REPLACE PACKAGE AUTH_UTILldquo AS
PROCEDURE valid_user2
( p_username IN VARCHAR2 p_password IN VARCHAR2)
FUNCTION valid_user
(p_username IN VARCHAR2 p_password IN VARCHAR2)
RETURN BOOLEAN
PROCEDURE set_password
(p_username IN VARCHAR2 p_password IN VARCHAR2)
PROCEDURE login
(p_username IN VARCHAR2 p_password IN VARCHAR2
p_session_id IN VARCHAR2 p_flow_page IN VARCHAR2 )
FUNCTION usable
( p_item_user_type_id IN NUMBERp_user_user_type_id IN NUMBER)
RETURN VARCHAR2
FUNCTION complex_password
( p_user_name IN VARCHAR2 p_old_password IN VARCHAR2
p_new_password IN VARCHAR2)
RETURN BOOLEAN
END AUTH_UTIL
21
Hash Function
FUNCTION hash_password(p_password IN VARCHAR2)
RETURN VARCHAR2
AS
v_hash_algorithm pls_integer
v_return VARCHAR2(4000)
BEGIN
v_hash_algorithm = dbms_cryptohash_sh1
v_return = SHA-1|| utl_rawcast_to_varchar2( UTL_ENCODEBASE64_ENCODE( dbms_cryptohash( UTL_I18NSTRING_TO_RAW (p_password AL32UTF8)v_hash_algorithm)))
RETURN v_return
END
WebLogic defaults to base 64 encoded SHA-1 hashed password
APEX security setup
22
APEX Code
23
function valid_user (p_username in varchar2 p_password in varchar2) return boolean AS
BEGIN
valid_user2(p_username p_password)
return true
exception when others then return false
END valid_user
procedure valid_user2 (p_username in varchar2 p_password in varchar2) AS
v_dummy varchar2(1)
BEGIN
select 1
into v_dummy
from app_users
where upper(user_name) = upper(p_username)
and password = hash_password(p_password)
exception when NO_DATA_FOUND then
raise_application_error(-20000Invalid usernamepassword)
END valid_user2
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
Oracle BI Security Components
8
The right tool for the right responsibility
LDAP Server
(Users and Groups
Key Concepts
Identity Store
Policy Store
Credential Store
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
System Credentials
Application Roles Application Policies
Users Groups
Key Concepts ndash Default Configuration
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File File WLS LDAP
Key Concepts ndash Common
Configuration
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File External LDAP External LDAP
Key Concepts ndash Case Study
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File File Database Table
Common Security Setup
bull Oracle BI 11g using Fusion Middleware Security
bull External LDAP (OID AD) for users and groups
bull Database Table Authentication
bull Internal Security (not recommended for production)
bull External LDAP for users Database Tables for groups (new in
11116)
bull Oracle BI 11g using 10g-sytle security (init-blocks)
bull External LDAP for users Database Tables for groups
bull Database Table Authentication
bull RPD users (not recommended for production)
13
Case Study Database Table
Authentication
bull Business background
bull Architecture
bull DB setup
bull BI Setup
bull Diagnostics
14
15
The PSBI Cloud demo environment
bull BIEE using table based authentication and
authorization
bull Users
bull Groups
bull Demos ndash collection of groups required for a demo
bull APEX application to manage users groups
bull APEX application uses the same table based
authentication but different authorization
bull Users
bull User types (customer partner employee admin)
16
APEX functionality
bull Oracle Employees
bull Request an Account
bull Reset their password
bull Find a lost username
bull Configure their demo
bull Setup Workshops
bull Provision Workshop Users
bull Customers (workshop attendees) and Partners
bull Reset their password
bull Download workshop material
bull System Administrators
bull Approve account requests
bull Create Partner Accounts
Architecture Diagram
17
Database
Identity Store Schema
Authentication Package
APEX
Custom Authentication
Scheme
Security Application
BI
FMW Security
WebLogic
SQL-Authenticator
18
Tables Required
19
Columns of interest
bull APP_USERS
bull Password ndash stores hashed password
bull Exp_date ndash must be greater than sysdate to login to BI or APEX
bull User_Type_id ndash determines authorization in APEX application
bull Demo
bull Usable_by_id ndash determines what type of user can use this demo
bull logic built into the auth_utilusable function
bull Bad design ndash should have created a user_type to demo table
bull Groups
bull Group_type_id ndash used to distinguish between groups and web
groups
20
PLSQL Package
CREATE OR REPLACE PACKAGE AUTH_UTILldquo AS
PROCEDURE valid_user2
( p_username IN VARCHAR2 p_password IN VARCHAR2)
FUNCTION valid_user
(p_username IN VARCHAR2 p_password IN VARCHAR2)
RETURN BOOLEAN
PROCEDURE set_password
(p_username IN VARCHAR2 p_password IN VARCHAR2)
PROCEDURE login
(p_username IN VARCHAR2 p_password IN VARCHAR2
p_session_id IN VARCHAR2 p_flow_page IN VARCHAR2 )
FUNCTION usable
( p_item_user_type_id IN NUMBERp_user_user_type_id IN NUMBER)
RETURN VARCHAR2
FUNCTION complex_password
( p_user_name IN VARCHAR2 p_old_password IN VARCHAR2
p_new_password IN VARCHAR2)
RETURN BOOLEAN
END AUTH_UTIL
21
Hash Function
FUNCTION hash_password(p_password IN VARCHAR2)
RETURN VARCHAR2
AS
v_hash_algorithm pls_integer
v_return VARCHAR2(4000)
BEGIN
v_hash_algorithm = dbms_cryptohash_sh1
v_return = SHA-1|| utl_rawcast_to_varchar2( UTL_ENCODEBASE64_ENCODE( dbms_cryptohash( UTL_I18NSTRING_TO_RAW (p_password AL32UTF8)v_hash_algorithm)))
RETURN v_return
END
WebLogic defaults to base 64 encoded SHA-1 hashed password
APEX security setup
22
APEX Code
23
function valid_user (p_username in varchar2 p_password in varchar2) return boolean AS
BEGIN
valid_user2(p_username p_password)
return true
exception when others then return false
END valid_user
procedure valid_user2 (p_username in varchar2 p_password in varchar2) AS
v_dummy varchar2(1)
BEGIN
select 1
into v_dummy
from app_users
where upper(user_name) = upper(p_username)
and password = hash_password(p_password)
exception when NO_DATA_FOUND then
raise_application_error(-20000Invalid usernamepassword)
END valid_user2
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
Key Concepts
Identity Store
Policy Store
Credential Store
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
System Credentials
Application Roles Application Policies
Users Groups
Key Concepts ndash Default Configuration
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File File WLS LDAP
Key Concepts ndash Common
Configuration
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File External LDAP External LDAP
Key Concepts ndash Case Study
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File File Database Table
Common Security Setup
bull Oracle BI 11g using Fusion Middleware Security
bull External LDAP (OID AD) for users and groups
bull Database Table Authentication
bull Internal Security (not recommended for production)
bull External LDAP for users Database Tables for groups (new in
11116)
bull Oracle BI 11g using 10g-sytle security (init-blocks)
bull External LDAP for users Database Tables for groups
bull Database Table Authentication
bull RPD users (not recommended for production)
13
Case Study Database Table
Authentication
bull Business background
bull Architecture
bull DB setup
bull BI Setup
bull Diagnostics
14
15
The PSBI Cloud demo environment
bull BIEE using table based authentication and
authorization
bull Users
bull Groups
bull Demos ndash collection of groups required for a demo
bull APEX application to manage users groups
bull APEX application uses the same table based
authentication but different authorization
bull Users
bull User types (customer partner employee admin)
16
APEX functionality
bull Oracle Employees
bull Request an Account
bull Reset their password
bull Find a lost username
bull Configure their demo
bull Setup Workshops
bull Provision Workshop Users
bull Customers (workshop attendees) and Partners
bull Reset their password
bull Download workshop material
bull System Administrators
bull Approve account requests
bull Create Partner Accounts
Architecture Diagram
17
Database
Identity Store Schema
Authentication Package
APEX
Custom Authentication
Scheme
Security Application
BI
FMW Security
WebLogic
SQL-Authenticator
18
Tables Required
19
Columns of interest
bull APP_USERS
bull Password ndash stores hashed password
bull Exp_date ndash must be greater than sysdate to login to BI or APEX
bull User_Type_id ndash determines authorization in APEX application
bull Demo
bull Usable_by_id ndash determines what type of user can use this demo
bull logic built into the auth_utilusable function
bull Bad design ndash should have created a user_type to demo table
bull Groups
bull Group_type_id ndash used to distinguish between groups and web
groups
20
PLSQL Package
CREATE OR REPLACE PACKAGE AUTH_UTILldquo AS
PROCEDURE valid_user2
( p_username IN VARCHAR2 p_password IN VARCHAR2)
FUNCTION valid_user
(p_username IN VARCHAR2 p_password IN VARCHAR2)
RETURN BOOLEAN
PROCEDURE set_password
(p_username IN VARCHAR2 p_password IN VARCHAR2)
PROCEDURE login
(p_username IN VARCHAR2 p_password IN VARCHAR2
p_session_id IN VARCHAR2 p_flow_page IN VARCHAR2 )
FUNCTION usable
( p_item_user_type_id IN NUMBERp_user_user_type_id IN NUMBER)
RETURN VARCHAR2
FUNCTION complex_password
( p_user_name IN VARCHAR2 p_old_password IN VARCHAR2
p_new_password IN VARCHAR2)
RETURN BOOLEAN
END AUTH_UTIL
21
Hash Function
FUNCTION hash_password(p_password IN VARCHAR2)
RETURN VARCHAR2
AS
v_hash_algorithm pls_integer
v_return VARCHAR2(4000)
BEGIN
v_hash_algorithm = dbms_cryptohash_sh1
v_return = SHA-1|| utl_rawcast_to_varchar2( UTL_ENCODEBASE64_ENCODE( dbms_cryptohash( UTL_I18NSTRING_TO_RAW (p_password AL32UTF8)v_hash_algorithm)))
RETURN v_return
END
WebLogic defaults to base 64 encoded SHA-1 hashed password
APEX security setup
22
APEX Code
23
function valid_user (p_username in varchar2 p_password in varchar2) return boolean AS
BEGIN
valid_user2(p_username p_password)
return true
exception when others then return false
END valid_user
procedure valid_user2 (p_username in varchar2 p_password in varchar2) AS
v_dummy varchar2(1)
BEGIN
select 1
into v_dummy
from app_users
where upper(user_name) = upper(p_username)
and password = hash_password(p_password)
exception when NO_DATA_FOUND then
raise_application_error(-20000Invalid usernamepassword)
END valid_user2
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
Key Concepts ndash Default Configuration
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File File WLS LDAP
Key Concepts ndash Common
Configuration
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File External LDAP External LDAP
Key Concepts ndash Case Study
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File File Database Table
Common Security Setup
bull Oracle BI 11g using Fusion Middleware Security
bull External LDAP (OID AD) for users and groups
bull Database Table Authentication
bull Internal Security (not recommended for production)
bull External LDAP for users Database Tables for groups (new in
11116)
bull Oracle BI 11g using 10g-sytle security (init-blocks)
bull External LDAP for users Database Tables for groups
bull Database Table Authentication
bull RPD users (not recommended for production)
13
Case Study Database Table
Authentication
bull Business background
bull Architecture
bull DB setup
bull BI Setup
bull Diagnostics
14
15
The PSBI Cloud demo environment
bull BIEE using table based authentication and
authorization
bull Users
bull Groups
bull Demos ndash collection of groups required for a demo
bull APEX application to manage users groups
bull APEX application uses the same table based
authentication but different authorization
bull Users
bull User types (customer partner employee admin)
16
APEX functionality
bull Oracle Employees
bull Request an Account
bull Reset their password
bull Find a lost username
bull Configure their demo
bull Setup Workshops
bull Provision Workshop Users
bull Customers (workshop attendees) and Partners
bull Reset their password
bull Download workshop material
bull System Administrators
bull Approve account requests
bull Create Partner Accounts
Architecture Diagram
17
Database
Identity Store Schema
Authentication Package
APEX
Custom Authentication
Scheme
Security Application
BI
FMW Security
WebLogic
SQL-Authenticator
18
Tables Required
19
Columns of interest
bull APP_USERS
bull Password ndash stores hashed password
bull Exp_date ndash must be greater than sysdate to login to BI or APEX
bull User_Type_id ndash determines authorization in APEX application
bull Demo
bull Usable_by_id ndash determines what type of user can use this demo
bull logic built into the auth_utilusable function
bull Bad design ndash should have created a user_type to demo table
bull Groups
bull Group_type_id ndash used to distinguish between groups and web
groups
20
PLSQL Package
CREATE OR REPLACE PACKAGE AUTH_UTILldquo AS
PROCEDURE valid_user2
( p_username IN VARCHAR2 p_password IN VARCHAR2)
FUNCTION valid_user
(p_username IN VARCHAR2 p_password IN VARCHAR2)
RETURN BOOLEAN
PROCEDURE set_password
(p_username IN VARCHAR2 p_password IN VARCHAR2)
PROCEDURE login
(p_username IN VARCHAR2 p_password IN VARCHAR2
p_session_id IN VARCHAR2 p_flow_page IN VARCHAR2 )
FUNCTION usable
( p_item_user_type_id IN NUMBERp_user_user_type_id IN NUMBER)
RETURN VARCHAR2
FUNCTION complex_password
( p_user_name IN VARCHAR2 p_old_password IN VARCHAR2
p_new_password IN VARCHAR2)
RETURN BOOLEAN
END AUTH_UTIL
21
Hash Function
FUNCTION hash_password(p_password IN VARCHAR2)
RETURN VARCHAR2
AS
v_hash_algorithm pls_integer
v_return VARCHAR2(4000)
BEGIN
v_hash_algorithm = dbms_cryptohash_sh1
v_return = SHA-1|| utl_rawcast_to_varchar2( UTL_ENCODEBASE64_ENCODE( dbms_cryptohash( UTL_I18NSTRING_TO_RAW (p_password AL32UTF8)v_hash_algorithm)))
RETURN v_return
END
WebLogic defaults to base 64 encoded SHA-1 hashed password
APEX security setup
22
APEX Code
23
function valid_user (p_username in varchar2 p_password in varchar2) return boolean AS
BEGIN
valid_user2(p_username p_password)
return true
exception when others then return false
END valid_user
procedure valid_user2 (p_username in varchar2 p_password in varchar2) AS
v_dummy varchar2(1)
BEGIN
select 1
into v_dummy
from app_users
where upper(user_name) = upper(p_username)
and password = hash_password(p_password)
exception when NO_DATA_FOUND then
raise_application_error(-20000Invalid usernamepassword)
END valid_user2
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
Key Concepts ndash Common
Configuration
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File External LDAP External LDAP
Key Concepts ndash Case Study
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File File Database Table
Common Security Setup
bull Oracle BI 11g using Fusion Middleware Security
bull External LDAP (OID AD) for users and groups
bull Database Table Authentication
bull Internal Security (not recommended for production)
bull External LDAP for users Database Tables for groups (new in
11116)
bull Oracle BI 11g using 10g-sytle security (init-blocks)
bull External LDAP for users Database Tables for groups
bull Database Table Authentication
bull RPD users (not recommended for production)
13
Case Study Database Table
Authentication
bull Business background
bull Architecture
bull DB setup
bull BI Setup
bull Diagnostics
14
15
The PSBI Cloud demo environment
bull BIEE using table based authentication and
authorization
bull Users
bull Groups
bull Demos ndash collection of groups required for a demo
bull APEX application to manage users groups
bull APEX application uses the same table based
authentication but different authorization
bull Users
bull User types (customer partner employee admin)
16
APEX functionality
bull Oracle Employees
bull Request an Account
bull Reset their password
bull Find a lost username
bull Configure their demo
bull Setup Workshops
bull Provision Workshop Users
bull Customers (workshop attendees) and Partners
bull Reset their password
bull Download workshop material
bull System Administrators
bull Approve account requests
bull Create Partner Accounts
Architecture Diagram
17
Database
Identity Store Schema
Authentication Package
APEX
Custom Authentication
Scheme
Security Application
BI
FMW Security
WebLogic
SQL-Authenticator
18
Tables Required
19
Columns of interest
bull APP_USERS
bull Password ndash stores hashed password
bull Exp_date ndash must be greater than sysdate to login to BI or APEX
bull User_Type_id ndash determines authorization in APEX application
bull Demo
bull Usable_by_id ndash determines what type of user can use this demo
bull logic built into the auth_utilusable function
bull Bad design ndash should have created a user_type to demo table
bull Groups
bull Group_type_id ndash used to distinguish between groups and web
groups
20
PLSQL Package
CREATE OR REPLACE PACKAGE AUTH_UTILldquo AS
PROCEDURE valid_user2
( p_username IN VARCHAR2 p_password IN VARCHAR2)
FUNCTION valid_user
(p_username IN VARCHAR2 p_password IN VARCHAR2)
RETURN BOOLEAN
PROCEDURE set_password
(p_username IN VARCHAR2 p_password IN VARCHAR2)
PROCEDURE login
(p_username IN VARCHAR2 p_password IN VARCHAR2
p_session_id IN VARCHAR2 p_flow_page IN VARCHAR2 )
FUNCTION usable
( p_item_user_type_id IN NUMBERp_user_user_type_id IN NUMBER)
RETURN VARCHAR2
FUNCTION complex_password
( p_user_name IN VARCHAR2 p_old_password IN VARCHAR2
p_new_password IN VARCHAR2)
RETURN BOOLEAN
END AUTH_UTIL
21
Hash Function
FUNCTION hash_password(p_password IN VARCHAR2)
RETURN VARCHAR2
AS
v_hash_algorithm pls_integer
v_return VARCHAR2(4000)
BEGIN
v_hash_algorithm = dbms_cryptohash_sh1
v_return = SHA-1|| utl_rawcast_to_varchar2( UTL_ENCODEBASE64_ENCODE( dbms_cryptohash( UTL_I18NSTRING_TO_RAW (p_password AL32UTF8)v_hash_algorithm)))
RETURN v_return
END
WebLogic defaults to base 64 encoded SHA-1 hashed password
APEX security setup
22
APEX Code
23
function valid_user (p_username in varchar2 p_password in varchar2) return boolean AS
BEGIN
valid_user2(p_username p_password)
return true
exception when others then return false
END valid_user
procedure valid_user2 (p_username in varchar2 p_password in varchar2) AS
v_dummy varchar2(1)
BEGIN
select 1
into v_dummy
from app_users
where upper(user_name) = upper(p_username)
and password = hash_password(p_password)
exception when NO_DATA_FOUND then
raise_application_error(-20000Invalid usernamepassword)
END valid_user2
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
Key Concepts ndash Case Study
Oracle BI
Oracle SOA
Oracle Service
Bus
Oracle WebLogic
Server
Oracle Web Services Manager
Oracle ADF WebCenter
Oracle Fusion Applications
Identity Store
Policy Store
Credential Store
System Credentials
Application Roles Application Policies
Users Groups
File File Database Table
Common Security Setup
bull Oracle BI 11g using Fusion Middleware Security
bull External LDAP (OID AD) for users and groups
bull Database Table Authentication
bull Internal Security (not recommended for production)
bull External LDAP for users Database Tables for groups (new in
11116)
bull Oracle BI 11g using 10g-sytle security (init-blocks)
bull External LDAP for users Database Tables for groups
bull Database Table Authentication
bull RPD users (not recommended for production)
13
Case Study Database Table
Authentication
bull Business background
bull Architecture
bull DB setup
bull BI Setup
bull Diagnostics
14
15
The PSBI Cloud demo environment
bull BIEE using table based authentication and
authorization
bull Users
bull Groups
bull Demos ndash collection of groups required for a demo
bull APEX application to manage users groups
bull APEX application uses the same table based
authentication but different authorization
bull Users
bull User types (customer partner employee admin)
16
APEX functionality
bull Oracle Employees
bull Request an Account
bull Reset their password
bull Find a lost username
bull Configure their demo
bull Setup Workshops
bull Provision Workshop Users
bull Customers (workshop attendees) and Partners
bull Reset their password
bull Download workshop material
bull System Administrators
bull Approve account requests
bull Create Partner Accounts
Architecture Diagram
17
Database
Identity Store Schema
Authentication Package
APEX
Custom Authentication
Scheme
Security Application
BI
FMW Security
WebLogic
SQL-Authenticator
18
Tables Required
19
Columns of interest
bull APP_USERS
bull Password ndash stores hashed password
bull Exp_date ndash must be greater than sysdate to login to BI or APEX
bull User_Type_id ndash determines authorization in APEX application
bull Demo
bull Usable_by_id ndash determines what type of user can use this demo
bull logic built into the auth_utilusable function
bull Bad design ndash should have created a user_type to demo table
bull Groups
bull Group_type_id ndash used to distinguish between groups and web
groups
20
PLSQL Package
CREATE OR REPLACE PACKAGE AUTH_UTILldquo AS
PROCEDURE valid_user2
( p_username IN VARCHAR2 p_password IN VARCHAR2)
FUNCTION valid_user
(p_username IN VARCHAR2 p_password IN VARCHAR2)
RETURN BOOLEAN
PROCEDURE set_password
(p_username IN VARCHAR2 p_password IN VARCHAR2)
PROCEDURE login
(p_username IN VARCHAR2 p_password IN VARCHAR2
p_session_id IN VARCHAR2 p_flow_page IN VARCHAR2 )
FUNCTION usable
( p_item_user_type_id IN NUMBERp_user_user_type_id IN NUMBER)
RETURN VARCHAR2
FUNCTION complex_password
( p_user_name IN VARCHAR2 p_old_password IN VARCHAR2
p_new_password IN VARCHAR2)
RETURN BOOLEAN
END AUTH_UTIL
21
Hash Function
FUNCTION hash_password(p_password IN VARCHAR2)
RETURN VARCHAR2
AS
v_hash_algorithm pls_integer
v_return VARCHAR2(4000)
BEGIN
v_hash_algorithm = dbms_cryptohash_sh1
v_return = SHA-1|| utl_rawcast_to_varchar2( UTL_ENCODEBASE64_ENCODE( dbms_cryptohash( UTL_I18NSTRING_TO_RAW (p_password AL32UTF8)v_hash_algorithm)))
RETURN v_return
END
WebLogic defaults to base 64 encoded SHA-1 hashed password
APEX security setup
22
APEX Code
23
function valid_user (p_username in varchar2 p_password in varchar2) return boolean AS
BEGIN
valid_user2(p_username p_password)
return true
exception when others then return false
END valid_user
procedure valid_user2 (p_username in varchar2 p_password in varchar2) AS
v_dummy varchar2(1)
BEGIN
select 1
into v_dummy
from app_users
where upper(user_name) = upper(p_username)
and password = hash_password(p_password)
exception when NO_DATA_FOUND then
raise_application_error(-20000Invalid usernamepassword)
END valid_user2
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
Common Security Setup
bull Oracle BI 11g using Fusion Middleware Security
bull External LDAP (OID AD) for users and groups
bull Database Table Authentication
bull Internal Security (not recommended for production)
bull External LDAP for users Database Tables for groups (new in
11116)
bull Oracle BI 11g using 10g-sytle security (init-blocks)
bull External LDAP for users Database Tables for groups
bull Database Table Authentication
bull RPD users (not recommended for production)
13
Case Study Database Table
Authentication
bull Business background
bull Architecture
bull DB setup
bull BI Setup
bull Diagnostics
14
15
The PSBI Cloud demo environment
bull BIEE using table based authentication and
authorization
bull Users
bull Groups
bull Demos ndash collection of groups required for a demo
bull APEX application to manage users groups
bull APEX application uses the same table based
authentication but different authorization
bull Users
bull User types (customer partner employee admin)
16
APEX functionality
bull Oracle Employees
bull Request an Account
bull Reset their password
bull Find a lost username
bull Configure their demo
bull Setup Workshops
bull Provision Workshop Users
bull Customers (workshop attendees) and Partners
bull Reset their password
bull Download workshop material
bull System Administrators
bull Approve account requests
bull Create Partner Accounts
Architecture Diagram
17
Database
Identity Store Schema
Authentication Package
APEX
Custom Authentication
Scheme
Security Application
BI
FMW Security
WebLogic
SQL-Authenticator
18
Tables Required
19
Columns of interest
bull APP_USERS
bull Password ndash stores hashed password
bull Exp_date ndash must be greater than sysdate to login to BI or APEX
bull User_Type_id ndash determines authorization in APEX application
bull Demo
bull Usable_by_id ndash determines what type of user can use this demo
bull logic built into the auth_utilusable function
bull Bad design ndash should have created a user_type to demo table
bull Groups
bull Group_type_id ndash used to distinguish between groups and web
groups
20
PLSQL Package
CREATE OR REPLACE PACKAGE AUTH_UTILldquo AS
PROCEDURE valid_user2
( p_username IN VARCHAR2 p_password IN VARCHAR2)
FUNCTION valid_user
(p_username IN VARCHAR2 p_password IN VARCHAR2)
RETURN BOOLEAN
PROCEDURE set_password
(p_username IN VARCHAR2 p_password IN VARCHAR2)
PROCEDURE login
(p_username IN VARCHAR2 p_password IN VARCHAR2
p_session_id IN VARCHAR2 p_flow_page IN VARCHAR2 )
FUNCTION usable
( p_item_user_type_id IN NUMBERp_user_user_type_id IN NUMBER)
RETURN VARCHAR2
FUNCTION complex_password
( p_user_name IN VARCHAR2 p_old_password IN VARCHAR2
p_new_password IN VARCHAR2)
RETURN BOOLEAN
END AUTH_UTIL
21
Hash Function
FUNCTION hash_password(p_password IN VARCHAR2)
RETURN VARCHAR2
AS
v_hash_algorithm pls_integer
v_return VARCHAR2(4000)
BEGIN
v_hash_algorithm = dbms_cryptohash_sh1
v_return = SHA-1|| utl_rawcast_to_varchar2( UTL_ENCODEBASE64_ENCODE( dbms_cryptohash( UTL_I18NSTRING_TO_RAW (p_password AL32UTF8)v_hash_algorithm)))
RETURN v_return
END
WebLogic defaults to base 64 encoded SHA-1 hashed password
APEX security setup
22
APEX Code
23
function valid_user (p_username in varchar2 p_password in varchar2) return boolean AS
BEGIN
valid_user2(p_username p_password)
return true
exception when others then return false
END valid_user
procedure valid_user2 (p_username in varchar2 p_password in varchar2) AS
v_dummy varchar2(1)
BEGIN
select 1
into v_dummy
from app_users
where upper(user_name) = upper(p_username)
and password = hash_password(p_password)
exception when NO_DATA_FOUND then
raise_application_error(-20000Invalid usernamepassword)
END valid_user2
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
Case Study Database Table
Authentication
bull Business background
bull Architecture
bull DB setup
bull BI Setup
bull Diagnostics
14
15
The PSBI Cloud demo environment
bull BIEE using table based authentication and
authorization
bull Users
bull Groups
bull Demos ndash collection of groups required for a demo
bull APEX application to manage users groups
bull APEX application uses the same table based
authentication but different authorization
bull Users
bull User types (customer partner employee admin)
16
APEX functionality
bull Oracle Employees
bull Request an Account
bull Reset their password
bull Find a lost username
bull Configure their demo
bull Setup Workshops
bull Provision Workshop Users
bull Customers (workshop attendees) and Partners
bull Reset their password
bull Download workshop material
bull System Administrators
bull Approve account requests
bull Create Partner Accounts
Architecture Diagram
17
Database
Identity Store Schema
Authentication Package
APEX
Custom Authentication
Scheme
Security Application
BI
FMW Security
WebLogic
SQL-Authenticator
18
Tables Required
19
Columns of interest
bull APP_USERS
bull Password ndash stores hashed password
bull Exp_date ndash must be greater than sysdate to login to BI or APEX
bull User_Type_id ndash determines authorization in APEX application
bull Demo
bull Usable_by_id ndash determines what type of user can use this demo
bull logic built into the auth_utilusable function
bull Bad design ndash should have created a user_type to demo table
bull Groups
bull Group_type_id ndash used to distinguish between groups and web
groups
20
PLSQL Package
CREATE OR REPLACE PACKAGE AUTH_UTILldquo AS
PROCEDURE valid_user2
( p_username IN VARCHAR2 p_password IN VARCHAR2)
FUNCTION valid_user
(p_username IN VARCHAR2 p_password IN VARCHAR2)
RETURN BOOLEAN
PROCEDURE set_password
(p_username IN VARCHAR2 p_password IN VARCHAR2)
PROCEDURE login
(p_username IN VARCHAR2 p_password IN VARCHAR2
p_session_id IN VARCHAR2 p_flow_page IN VARCHAR2 )
FUNCTION usable
( p_item_user_type_id IN NUMBERp_user_user_type_id IN NUMBER)
RETURN VARCHAR2
FUNCTION complex_password
( p_user_name IN VARCHAR2 p_old_password IN VARCHAR2
p_new_password IN VARCHAR2)
RETURN BOOLEAN
END AUTH_UTIL
21
Hash Function
FUNCTION hash_password(p_password IN VARCHAR2)
RETURN VARCHAR2
AS
v_hash_algorithm pls_integer
v_return VARCHAR2(4000)
BEGIN
v_hash_algorithm = dbms_cryptohash_sh1
v_return = SHA-1|| utl_rawcast_to_varchar2( UTL_ENCODEBASE64_ENCODE( dbms_cryptohash( UTL_I18NSTRING_TO_RAW (p_password AL32UTF8)v_hash_algorithm)))
RETURN v_return
END
WebLogic defaults to base 64 encoded SHA-1 hashed password
APEX security setup
22
APEX Code
23
function valid_user (p_username in varchar2 p_password in varchar2) return boolean AS
BEGIN
valid_user2(p_username p_password)
return true
exception when others then return false
END valid_user
procedure valid_user2 (p_username in varchar2 p_password in varchar2) AS
v_dummy varchar2(1)
BEGIN
select 1
into v_dummy
from app_users
where upper(user_name) = upper(p_username)
and password = hash_password(p_password)
exception when NO_DATA_FOUND then
raise_application_error(-20000Invalid usernamepassword)
END valid_user2
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
15
The PSBI Cloud demo environment
bull BIEE using table based authentication and
authorization
bull Users
bull Groups
bull Demos ndash collection of groups required for a demo
bull APEX application to manage users groups
bull APEX application uses the same table based
authentication but different authorization
bull Users
bull User types (customer partner employee admin)
16
APEX functionality
bull Oracle Employees
bull Request an Account
bull Reset their password
bull Find a lost username
bull Configure their demo
bull Setup Workshops
bull Provision Workshop Users
bull Customers (workshop attendees) and Partners
bull Reset their password
bull Download workshop material
bull System Administrators
bull Approve account requests
bull Create Partner Accounts
Architecture Diagram
17
Database
Identity Store Schema
Authentication Package
APEX
Custom Authentication
Scheme
Security Application
BI
FMW Security
WebLogic
SQL-Authenticator
18
Tables Required
19
Columns of interest
bull APP_USERS
bull Password ndash stores hashed password
bull Exp_date ndash must be greater than sysdate to login to BI or APEX
bull User_Type_id ndash determines authorization in APEX application
bull Demo
bull Usable_by_id ndash determines what type of user can use this demo
bull logic built into the auth_utilusable function
bull Bad design ndash should have created a user_type to demo table
bull Groups
bull Group_type_id ndash used to distinguish between groups and web
groups
20
PLSQL Package
CREATE OR REPLACE PACKAGE AUTH_UTILldquo AS
PROCEDURE valid_user2
( p_username IN VARCHAR2 p_password IN VARCHAR2)
FUNCTION valid_user
(p_username IN VARCHAR2 p_password IN VARCHAR2)
RETURN BOOLEAN
PROCEDURE set_password
(p_username IN VARCHAR2 p_password IN VARCHAR2)
PROCEDURE login
(p_username IN VARCHAR2 p_password IN VARCHAR2
p_session_id IN VARCHAR2 p_flow_page IN VARCHAR2 )
FUNCTION usable
( p_item_user_type_id IN NUMBERp_user_user_type_id IN NUMBER)
RETURN VARCHAR2
FUNCTION complex_password
( p_user_name IN VARCHAR2 p_old_password IN VARCHAR2
p_new_password IN VARCHAR2)
RETURN BOOLEAN
END AUTH_UTIL
21
Hash Function
FUNCTION hash_password(p_password IN VARCHAR2)
RETURN VARCHAR2
AS
v_hash_algorithm pls_integer
v_return VARCHAR2(4000)
BEGIN
v_hash_algorithm = dbms_cryptohash_sh1
v_return = SHA-1|| utl_rawcast_to_varchar2( UTL_ENCODEBASE64_ENCODE( dbms_cryptohash( UTL_I18NSTRING_TO_RAW (p_password AL32UTF8)v_hash_algorithm)))
RETURN v_return
END
WebLogic defaults to base 64 encoded SHA-1 hashed password
APEX security setup
22
APEX Code
23
function valid_user (p_username in varchar2 p_password in varchar2) return boolean AS
BEGIN
valid_user2(p_username p_password)
return true
exception when others then return false
END valid_user
procedure valid_user2 (p_username in varchar2 p_password in varchar2) AS
v_dummy varchar2(1)
BEGIN
select 1
into v_dummy
from app_users
where upper(user_name) = upper(p_username)
and password = hash_password(p_password)
exception when NO_DATA_FOUND then
raise_application_error(-20000Invalid usernamepassword)
END valid_user2
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
16
APEX functionality
bull Oracle Employees
bull Request an Account
bull Reset their password
bull Find a lost username
bull Configure their demo
bull Setup Workshops
bull Provision Workshop Users
bull Customers (workshop attendees) and Partners
bull Reset their password
bull Download workshop material
bull System Administrators
bull Approve account requests
bull Create Partner Accounts
Architecture Diagram
17
Database
Identity Store Schema
Authentication Package
APEX
Custom Authentication
Scheme
Security Application
BI
FMW Security
WebLogic
SQL-Authenticator
18
Tables Required
19
Columns of interest
bull APP_USERS
bull Password ndash stores hashed password
bull Exp_date ndash must be greater than sysdate to login to BI or APEX
bull User_Type_id ndash determines authorization in APEX application
bull Demo
bull Usable_by_id ndash determines what type of user can use this demo
bull logic built into the auth_utilusable function
bull Bad design ndash should have created a user_type to demo table
bull Groups
bull Group_type_id ndash used to distinguish between groups and web
groups
20
PLSQL Package
CREATE OR REPLACE PACKAGE AUTH_UTILldquo AS
PROCEDURE valid_user2
( p_username IN VARCHAR2 p_password IN VARCHAR2)
FUNCTION valid_user
(p_username IN VARCHAR2 p_password IN VARCHAR2)
RETURN BOOLEAN
PROCEDURE set_password
(p_username IN VARCHAR2 p_password IN VARCHAR2)
PROCEDURE login
(p_username IN VARCHAR2 p_password IN VARCHAR2
p_session_id IN VARCHAR2 p_flow_page IN VARCHAR2 )
FUNCTION usable
( p_item_user_type_id IN NUMBERp_user_user_type_id IN NUMBER)
RETURN VARCHAR2
FUNCTION complex_password
( p_user_name IN VARCHAR2 p_old_password IN VARCHAR2
p_new_password IN VARCHAR2)
RETURN BOOLEAN
END AUTH_UTIL
21
Hash Function
FUNCTION hash_password(p_password IN VARCHAR2)
RETURN VARCHAR2
AS
v_hash_algorithm pls_integer
v_return VARCHAR2(4000)
BEGIN
v_hash_algorithm = dbms_cryptohash_sh1
v_return = SHA-1|| utl_rawcast_to_varchar2( UTL_ENCODEBASE64_ENCODE( dbms_cryptohash( UTL_I18NSTRING_TO_RAW (p_password AL32UTF8)v_hash_algorithm)))
RETURN v_return
END
WebLogic defaults to base 64 encoded SHA-1 hashed password
APEX security setup
22
APEX Code
23
function valid_user (p_username in varchar2 p_password in varchar2) return boolean AS
BEGIN
valid_user2(p_username p_password)
return true
exception when others then return false
END valid_user
procedure valid_user2 (p_username in varchar2 p_password in varchar2) AS
v_dummy varchar2(1)
BEGIN
select 1
into v_dummy
from app_users
where upper(user_name) = upper(p_username)
and password = hash_password(p_password)
exception when NO_DATA_FOUND then
raise_application_error(-20000Invalid usernamepassword)
END valid_user2
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
Architecture Diagram
17
Database
Identity Store Schema
Authentication Package
APEX
Custom Authentication
Scheme
Security Application
BI
FMW Security
WebLogic
SQL-Authenticator
18
Tables Required
19
Columns of interest
bull APP_USERS
bull Password ndash stores hashed password
bull Exp_date ndash must be greater than sysdate to login to BI or APEX
bull User_Type_id ndash determines authorization in APEX application
bull Demo
bull Usable_by_id ndash determines what type of user can use this demo
bull logic built into the auth_utilusable function
bull Bad design ndash should have created a user_type to demo table
bull Groups
bull Group_type_id ndash used to distinguish between groups and web
groups
20
PLSQL Package
CREATE OR REPLACE PACKAGE AUTH_UTILldquo AS
PROCEDURE valid_user2
( p_username IN VARCHAR2 p_password IN VARCHAR2)
FUNCTION valid_user
(p_username IN VARCHAR2 p_password IN VARCHAR2)
RETURN BOOLEAN
PROCEDURE set_password
(p_username IN VARCHAR2 p_password IN VARCHAR2)
PROCEDURE login
(p_username IN VARCHAR2 p_password IN VARCHAR2
p_session_id IN VARCHAR2 p_flow_page IN VARCHAR2 )
FUNCTION usable
( p_item_user_type_id IN NUMBERp_user_user_type_id IN NUMBER)
RETURN VARCHAR2
FUNCTION complex_password
( p_user_name IN VARCHAR2 p_old_password IN VARCHAR2
p_new_password IN VARCHAR2)
RETURN BOOLEAN
END AUTH_UTIL
21
Hash Function
FUNCTION hash_password(p_password IN VARCHAR2)
RETURN VARCHAR2
AS
v_hash_algorithm pls_integer
v_return VARCHAR2(4000)
BEGIN
v_hash_algorithm = dbms_cryptohash_sh1
v_return = SHA-1|| utl_rawcast_to_varchar2( UTL_ENCODEBASE64_ENCODE( dbms_cryptohash( UTL_I18NSTRING_TO_RAW (p_password AL32UTF8)v_hash_algorithm)))
RETURN v_return
END
WebLogic defaults to base 64 encoded SHA-1 hashed password
APEX security setup
22
APEX Code
23
function valid_user (p_username in varchar2 p_password in varchar2) return boolean AS
BEGIN
valid_user2(p_username p_password)
return true
exception when others then return false
END valid_user
procedure valid_user2 (p_username in varchar2 p_password in varchar2) AS
v_dummy varchar2(1)
BEGIN
select 1
into v_dummy
from app_users
where upper(user_name) = upper(p_username)
and password = hash_password(p_password)
exception when NO_DATA_FOUND then
raise_application_error(-20000Invalid usernamepassword)
END valid_user2
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
18
Tables Required
19
Columns of interest
bull APP_USERS
bull Password ndash stores hashed password
bull Exp_date ndash must be greater than sysdate to login to BI or APEX
bull User_Type_id ndash determines authorization in APEX application
bull Demo
bull Usable_by_id ndash determines what type of user can use this demo
bull logic built into the auth_utilusable function
bull Bad design ndash should have created a user_type to demo table
bull Groups
bull Group_type_id ndash used to distinguish between groups and web
groups
20
PLSQL Package
CREATE OR REPLACE PACKAGE AUTH_UTILldquo AS
PROCEDURE valid_user2
( p_username IN VARCHAR2 p_password IN VARCHAR2)
FUNCTION valid_user
(p_username IN VARCHAR2 p_password IN VARCHAR2)
RETURN BOOLEAN
PROCEDURE set_password
(p_username IN VARCHAR2 p_password IN VARCHAR2)
PROCEDURE login
(p_username IN VARCHAR2 p_password IN VARCHAR2
p_session_id IN VARCHAR2 p_flow_page IN VARCHAR2 )
FUNCTION usable
( p_item_user_type_id IN NUMBERp_user_user_type_id IN NUMBER)
RETURN VARCHAR2
FUNCTION complex_password
( p_user_name IN VARCHAR2 p_old_password IN VARCHAR2
p_new_password IN VARCHAR2)
RETURN BOOLEAN
END AUTH_UTIL
21
Hash Function
FUNCTION hash_password(p_password IN VARCHAR2)
RETURN VARCHAR2
AS
v_hash_algorithm pls_integer
v_return VARCHAR2(4000)
BEGIN
v_hash_algorithm = dbms_cryptohash_sh1
v_return = SHA-1|| utl_rawcast_to_varchar2( UTL_ENCODEBASE64_ENCODE( dbms_cryptohash( UTL_I18NSTRING_TO_RAW (p_password AL32UTF8)v_hash_algorithm)))
RETURN v_return
END
WebLogic defaults to base 64 encoded SHA-1 hashed password
APEX security setup
22
APEX Code
23
function valid_user (p_username in varchar2 p_password in varchar2) return boolean AS
BEGIN
valid_user2(p_username p_password)
return true
exception when others then return false
END valid_user
procedure valid_user2 (p_username in varchar2 p_password in varchar2) AS
v_dummy varchar2(1)
BEGIN
select 1
into v_dummy
from app_users
where upper(user_name) = upper(p_username)
and password = hash_password(p_password)
exception when NO_DATA_FOUND then
raise_application_error(-20000Invalid usernamepassword)
END valid_user2
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
19
Columns of interest
bull APP_USERS
bull Password ndash stores hashed password
bull Exp_date ndash must be greater than sysdate to login to BI or APEX
bull User_Type_id ndash determines authorization in APEX application
bull Demo
bull Usable_by_id ndash determines what type of user can use this demo
bull logic built into the auth_utilusable function
bull Bad design ndash should have created a user_type to demo table
bull Groups
bull Group_type_id ndash used to distinguish between groups and web
groups
20
PLSQL Package
CREATE OR REPLACE PACKAGE AUTH_UTILldquo AS
PROCEDURE valid_user2
( p_username IN VARCHAR2 p_password IN VARCHAR2)
FUNCTION valid_user
(p_username IN VARCHAR2 p_password IN VARCHAR2)
RETURN BOOLEAN
PROCEDURE set_password
(p_username IN VARCHAR2 p_password IN VARCHAR2)
PROCEDURE login
(p_username IN VARCHAR2 p_password IN VARCHAR2
p_session_id IN VARCHAR2 p_flow_page IN VARCHAR2 )
FUNCTION usable
( p_item_user_type_id IN NUMBERp_user_user_type_id IN NUMBER)
RETURN VARCHAR2
FUNCTION complex_password
( p_user_name IN VARCHAR2 p_old_password IN VARCHAR2
p_new_password IN VARCHAR2)
RETURN BOOLEAN
END AUTH_UTIL
21
Hash Function
FUNCTION hash_password(p_password IN VARCHAR2)
RETURN VARCHAR2
AS
v_hash_algorithm pls_integer
v_return VARCHAR2(4000)
BEGIN
v_hash_algorithm = dbms_cryptohash_sh1
v_return = SHA-1|| utl_rawcast_to_varchar2( UTL_ENCODEBASE64_ENCODE( dbms_cryptohash( UTL_I18NSTRING_TO_RAW (p_password AL32UTF8)v_hash_algorithm)))
RETURN v_return
END
WebLogic defaults to base 64 encoded SHA-1 hashed password
APEX security setup
22
APEX Code
23
function valid_user (p_username in varchar2 p_password in varchar2) return boolean AS
BEGIN
valid_user2(p_username p_password)
return true
exception when others then return false
END valid_user
procedure valid_user2 (p_username in varchar2 p_password in varchar2) AS
v_dummy varchar2(1)
BEGIN
select 1
into v_dummy
from app_users
where upper(user_name) = upper(p_username)
and password = hash_password(p_password)
exception when NO_DATA_FOUND then
raise_application_error(-20000Invalid usernamepassword)
END valid_user2
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
20
PLSQL Package
CREATE OR REPLACE PACKAGE AUTH_UTILldquo AS
PROCEDURE valid_user2
( p_username IN VARCHAR2 p_password IN VARCHAR2)
FUNCTION valid_user
(p_username IN VARCHAR2 p_password IN VARCHAR2)
RETURN BOOLEAN
PROCEDURE set_password
(p_username IN VARCHAR2 p_password IN VARCHAR2)
PROCEDURE login
(p_username IN VARCHAR2 p_password IN VARCHAR2
p_session_id IN VARCHAR2 p_flow_page IN VARCHAR2 )
FUNCTION usable
( p_item_user_type_id IN NUMBERp_user_user_type_id IN NUMBER)
RETURN VARCHAR2
FUNCTION complex_password
( p_user_name IN VARCHAR2 p_old_password IN VARCHAR2
p_new_password IN VARCHAR2)
RETURN BOOLEAN
END AUTH_UTIL
21
Hash Function
FUNCTION hash_password(p_password IN VARCHAR2)
RETURN VARCHAR2
AS
v_hash_algorithm pls_integer
v_return VARCHAR2(4000)
BEGIN
v_hash_algorithm = dbms_cryptohash_sh1
v_return = SHA-1|| utl_rawcast_to_varchar2( UTL_ENCODEBASE64_ENCODE( dbms_cryptohash( UTL_I18NSTRING_TO_RAW (p_password AL32UTF8)v_hash_algorithm)))
RETURN v_return
END
WebLogic defaults to base 64 encoded SHA-1 hashed password
APEX security setup
22
APEX Code
23
function valid_user (p_username in varchar2 p_password in varchar2) return boolean AS
BEGIN
valid_user2(p_username p_password)
return true
exception when others then return false
END valid_user
procedure valid_user2 (p_username in varchar2 p_password in varchar2) AS
v_dummy varchar2(1)
BEGIN
select 1
into v_dummy
from app_users
where upper(user_name) = upper(p_username)
and password = hash_password(p_password)
exception when NO_DATA_FOUND then
raise_application_error(-20000Invalid usernamepassword)
END valid_user2
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
21
Hash Function
FUNCTION hash_password(p_password IN VARCHAR2)
RETURN VARCHAR2
AS
v_hash_algorithm pls_integer
v_return VARCHAR2(4000)
BEGIN
v_hash_algorithm = dbms_cryptohash_sh1
v_return = SHA-1|| utl_rawcast_to_varchar2( UTL_ENCODEBASE64_ENCODE( dbms_cryptohash( UTL_I18NSTRING_TO_RAW (p_password AL32UTF8)v_hash_algorithm)))
RETURN v_return
END
WebLogic defaults to base 64 encoded SHA-1 hashed password
APEX security setup
22
APEX Code
23
function valid_user (p_username in varchar2 p_password in varchar2) return boolean AS
BEGIN
valid_user2(p_username p_password)
return true
exception when others then return false
END valid_user
procedure valid_user2 (p_username in varchar2 p_password in varchar2) AS
v_dummy varchar2(1)
BEGIN
select 1
into v_dummy
from app_users
where upper(user_name) = upper(p_username)
and password = hash_password(p_password)
exception when NO_DATA_FOUND then
raise_application_error(-20000Invalid usernamepassword)
END valid_user2
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
APEX security setup
22
APEX Code
23
function valid_user (p_username in varchar2 p_password in varchar2) return boolean AS
BEGIN
valid_user2(p_username p_password)
return true
exception when others then return false
END valid_user
procedure valid_user2 (p_username in varchar2 p_password in varchar2) AS
v_dummy varchar2(1)
BEGIN
select 1
into v_dummy
from app_users
where upper(user_name) = upper(p_username)
and password = hash_password(p_password)
exception when NO_DATA_FOUND then
raise_application_error(-20000Invalid usernamepassword)
END valid_user2
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
APEX Code
23
function valid_user (p_username in varchar2 p_password in varchar2) return boolean AS
BEGIN
valid_user2(p_username p_password)
return true
exception when others then return false
END valid_user
procedure valid_user2 (p_username in varchar2 p_password in varchar2) AS
v_dummy varchar2(1)
BEGIN
select 1
into v_dummy
from app_users
where upper(user_name) = upper(p_username)
and password = hash_password(p_password)
exception when NO_DATA_FOUND then
raise_application_error(-20000Invalid usernamepassword)
END valid_user2
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
BI Security Setup
bull Setup JDBC data source in WebLogic
bull Add SQLAuthenticator in WebLogic
bull Reorder so that this new provider is first in the list
bull Set control flag to ldquoSUFFICIENTrdquo
bull Setup Provider Specific information
bull Uncheck plaintext password
bull List Data Source
bull Check queries
bull Setup BI System User
bull Test Configuration
24
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
JDBC Data Source
25
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
Authentication Provider
26
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
Provider Details
27
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
Verify Provider is working in WebLogic
28
SQL Authenticator
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
Setup Virtualization
bull Load OVD templates
bull Enables BI to see database tables as LDAP attributes
bull Limited OVD capabilities embedded into Fusion Middleware
bull Set Virtualization parameter in Enterprise Manager
bull Enables you to leave the default authenticator setup
bull Recommended to leave the default authenticator
29
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
Partial OVD Template
30
ltobjectClass name=inetorgperson rdn=cngt
ltattribute ldap=cn table=USERS field=U_NAME type=gt
ltattribute ldap=uid table=USERS field=U_NAME type=gt
ltattribute ldap=usernameattr table=USERS field=U_NAME type=gt
ltattribute ldap=loginid table=USERS field=U_NAME type=gt
ltattribute ldap=description table=USERS field=U_DESCRIPTION type=gt
ltattribute ldap=mail table=USERS field=MAIL type=gt
ltattribute ldap=orclguid table=USERS field=U_NAME type=gt
ltobjectClassgt
Database Column
LDAP Attribute
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
Virtualization Parameter in EM
31
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
BI System User
bull Add user to Database tables (no groups required)
bull Map user to BISystem Role in Enterprise Manager
bull Add BISystemUser to Credential Store
32
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
BI System User in Identity Store
33
Identity Store
Oracle11g
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
BI System User in Policy Store
34
Policy Store
Built-in Role
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
BI System User in Credential Store
35
Credential Store
Oracle11g
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
Testing
bull Try to login to BI
bull See if your table-based users show up in WebLogic
bull If that fails attempt to login to WebLogic
bull Add user temporarily to user to WebLogic Global Admin Role
bull Use new diagnostics utility to isolate any problems
36
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
Diagnostics Application
bull New Application that ships with OBIEE 11116
bull Deploy bidiagnosticsear to the Admin Server
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
bull Follow instructions for configuration
bull Restart BI
bull Navigate to
httphostportbidiagnosticssercuritydiagnosticsjsp
37
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
BI Diagnostics
38
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39
For Further Information Oracle Technology Network
bull Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition bull httpdocsoraclecomcdE23943_01bi1111e10543tochtm
bull WebLogic Security
bull httpdocsoraclecomcdE23943_01wlshtmsecurity
bull Oracle Fusion Middleware Security Overview bull httpdocsoraclecomcdE23943_01core1111e12889tochtm
39