OBIEE 11g Security Policy


There are combinations of different stores (Identity Store,Policy Store,Credential Store) which take active role defining OBIEE 11g security including both Authentication and Authorisation . The below diagram mostly describes the process flow and the integrated components. Description for the flow (with the components) will be available in the same thread updated … keep watching my space 🙂

Identity Store: It is directory server to perform the authentication. It contains user name , password and groups membership information .When a user name and password combination is entered at log in, the authentication provider searches the identity store to verify the credentials provided.

Policy Store: Contains the definition of Application Roles, Application Policies, and the mapping between them.A policy store can be file-based or LDAP-based.Oracle Business Intelligence permissions are granted by mapping users and groups from the identity store to Application Roles and permission grants located in the policy store.

Credential Store: It is responsible for securely storing and providing access to credentials required by Oracle Business Intelligence Applications components internally.For e.g, SSL Certificates stored here.

Two way the authentication can be done . Oracle Weblogic Administrator Console used to manage Embedded directory server (LDAP) to authenticate Users and Groups.Sometimes Oracle Internet Directory is used as authentication provider and OID console is used to manage user and groups.

After the authentication done , the authorisation will be done across Policy store and Credential store where application role and group mapping will be executed .

Application and System related security credential will be store inside the Credential Store (oracle wallet) .

OBIEE 11g R1 Architecture


Below diagram depicts the standard logical architecture of Oracle business intelligence 11g system Release 1.0 .It also represents the essence of OBIEE11g pictorially with the proper workflow of the interdependent components .Note that below diagram represents single node based architecture .The horizontal and virtual clustering across multiple nodes will be demonstrated later part of this exercise or on separate thread will be discussed later …

BI Domain:

Overall system is called “Oracle BI Domain” . This comprises of Java components deployed into J2EE containers , non java system components and required configuration files, metadata, repositories, and infrastructure. Oracle Enterprise Manager(OEM) acts as “Fusion Middleware Control” which together with Weblogic Admin Console are the basic backbone,the powerhouse and the Admin Activity controller for the entire domain .

Weblogic Server Domain: The logical domain consists of Admin server and Managed server .It comprises mainly with all the Java modules to trigger the java services .A peer handshaking has been done between WLSD and Oracle BI Instance.

Administration Server:

A JEE container that runs in a dedicated Java virtual machine that contains Java components for administering the system .It typically trigger the start,stop kind of admin activity for his peer Manager server processes.

Managed Server:

A JEE container that runs in a dedicated Java virtual machine that provides the run-time environment for the Java-based services and applications within the system.The services comprises of BI plugin , Security , publisher ,SOA ,BI Office services etc .

Node Manager:

Node Manager provides process management services for the Administration Server and Managed Server processes.Its a separate java utility runs to trigger the auto start , stop , restart activities for distributed Managed server.

Oracle Process Manager and Notification Server(OPMN):

It is monitored , managed and controlled by Fusion Middleware Controller(OFMW). It is also used for distributed process start/stop/restart i.e maintains the Oracle Business Intelligence system component processes.Also used for performance collection using Dynamic Monitoring System (DMS) .

Oracle Weblogic Server (Console):

It is the replacement of Oracle 10g R3 middle tier cluster topology based on Oracle Container for Java (OC4J) . It is a Java EE application server that supports the deployment of Oracle Business Intelligence Java components and primarily host the java component services inside Managed server .

Oracle WebLogic Server Administration Console access has been provided by Fusion Middleware Control.Oracle WebLogic Server Administration Console enables to monitor and manage a WebLogic Server domain. Its capabilities include the following:

  • Monitoring health and performance of JEE servers
  • Configuring WebLogic domains
  • Stopping and starting JEE servers
  • Viewing JEE server logs

Fusion Middleware Control:

Fusion Middleware Control is a browser-based tool and the recommended method for monitoring, managing, and configuring Oracle Business Intelligence components.

Fusion Middleware Control is used principally for managing the system components of a BI domain and provides support for the following:

  • Starting, stopping, and restarting all system components (BI Server,BI Presentation Server) and Managed Servers
  • Configuring preferences and defaults
  • Scaling out of system components
  • Managing performance and monitoring system metrics(DMS-Dynamic Monitoring System)
  • Performing diagnostics and logging (ODL-Oracle Diagnostic Logging)

Fusion Middleware Control also provides access to Oracle WebLogic Server Administration Console, where you monitor and manage Oracle Business Intelligence Java components.

To be very precise OFMW contains to components ..i.e. Java Components managed by Weblogic Server and System components managed by Oracle Process Manager and Notification (OPMN) and this includes below as well including BI components :

  • Oracle HTTP Server
  • Oracle Web Cache
  • Oracle Internet Directory
  • Oracle Virtual Directory
  • Oracle Forms Services
  • Oracle Reports
  • Oracle Business Intelligence Discoverer

OFMW Environment: Oracle Fusion Middleware environment contains Oracle WebLogic Server domain (including Administration Server, two Managed Servers) , an Oracle instance and Metadata repository .

Java components: Deployed as one or more Java EE applications:

  • Administrative Components — Enterprise Management applications and JMX MBeans for managing all configuration and run-time settings for Oracle Business Intelligence.
  • Oracle BI Publisher — This component provides an enterprise reporting solution for authoring, managing, and delivering all types of highly formatted documents to employees, customers, and suppliers.
  • Oracle BI Office — This component provides the integration between Oracle Business Intelligence and Microsoft Office products.
  • Oracle BI Action Services — This component provides the dedicated Web services that are required by the Action Framework and that enable an administrator to manually configure which Web service directories can be browsed by users when they create actions.
  • Oracle Real-Time Decisions (Oracle RTD) — This component provides enterprise analytics software solutions that enable companies to make better decisions in real-time at key, high-value points in operational business processes.
  • Oracle BI Security Services — This component provides dedicated Web services that enable the integration of the Oracle BI Server with the Oracle Fusion Middleware security platform i.e JPS (Java Platform Security) , CSF (Credential Store Framework) and users and groups managed by  BI LDAP security.
  • Oracle BI SOA Services — This component provides dedicated Web services for objects in the Oracle BI Presentation Catalog, to invoke analyses, agents, and conditions. They make it easy to invoke Oracle Business Intelligence functionality from Business Process Execution Language (BPEL) processes.
  • Oracle BI Plugin — A JEE application that routes HTTP and SOAP requests to Oracle BI Presentation Services.

System components: Deployed as non-JEE components, such as processes and services written in C++ and J2SE:

  • Oracle BI Server — This component provides the query and data access capabilities at the heart of Oracle Business Intelligence and provides services for accessing and managing the enterprise semantic model (stored in a file with a .RPD extension).
  • Oracle BI Presentation Services — This component provides the framework and interface for the presentation of business intelligence data to Web clients. It maintains an Oracle BI Presentation Catalog service on the file system for the customization of this presentation framework.
  • Oracle BI Scheduler — This component provides extensible scheduling for analyses to be delivered to users at specified times. (Oracle BI Publisher has its own scheduler)
  • Oracle BI JavaHost — This component provides component services that enable Oracle BI Presentation Services to support various components such as Java tasks for Oracle BI Scheduler, Oracle BI Publisher, and graph generation.
  • Oracle BI Cluster Controller — This components distributes requests to the BI Server, ensuring requests are evenly load-balanced across all BI Server process instances in the BI domain.

Strange… Weblogic Password Visible !!!


I got to figure out that my Weblogic password is visible in command window after I trigger ‘Start BI Services’ from program menu and while the Admin Server starting up we can visualise the password .Got to capture this issue : Here is the snippets …

Also during Managed server start up the same password visible again. This is a probable bug and Oracle should encrypt it in future OBIEE 11g version …

Oracle Business Intelligence Enterprise Edition(OBIEE) 11g Installation


Below screenshots will guide you through step by step installation of OBIEE 11 g Fusion Middleware product .Before start the setup make sure Oracle 11g database installed and RCU setup completed.

Step 1: Download OBIEE 11g (11.1.1.3.0) version from below link of OTN .

http://www.oracle.com/technetwork/middleware/bi-enterprise-edition/downloads/business-intelligence11g-240521.html

Prerequisite has been installed as  : Oracle 11g DB R2 and RCU 11.1.13.3 .

Now extract the download copy into two different folders ….

Merge the two folders content into single directory “..\bi_windows_x86_111130_32_disk1_1of2\bishiphome” .

Step 2: For DHCP computer having no permanent IP Address you need to configure Microsoft default Loopback address .Follow the steps provided under section “Installing a Loopback Adapter on Windows 2003 or Windows XP”  from Nicolas Loopback Adapter Configuration .The glimpse of it as below:

Step 3: Execute the setup.exe .

Oracle Universal Installer (OUI) pre-requisite verification started .

Then the OFMW 11g Installer template initiated.

Step 4: Click Next on Welcome screen appeared below.

Step 5: Select the “Installation Type” as ‘Simple’ .This is most easiest and recommended for first try .All the parameters will be set by default.

N.B:- Enterprise installation is mostly required in Scalable system having the configuration required across multiple Weblogic domain or joining a existing domain to existing Weblogic Server .The “Software Only Install” requires the configuration done in different phase after the enterprise wide installation is over .

Step 6: Pre-requisites check has been done .

Step 7: Specify the installation location .

Step 8: Enter the ‘Weblogic’ Admin credentials . In my case the password is : ‘weblogic#1’ (without quotes to meet Oracle Password standard) .

Step 9: Configuring the components . In my case I select all .

Step 10: Specify the connection parameters ..

N.B:- Be aware of the joker type error message thrown here during my first installation as “INST-08029 Unable to connect to Database with given credentials.” It seems to be an Oracle BUG .See the issue in screenshot .



The reason of this error is the BIPLATFORM schema password .In RCU utility if you provide the password same as Schema name it would be creating trouble. Not sure whether it doesn’t accept the same password or it doesn’t accept the underscore(‘_’) character .I have not investigate further on it 😦

Anyway I get rid of it after dropping the RCU schema for BI and recreate the same with password as ‘rcu’ .This password has been provided here .

Step 11: Specify security update section .

Step 12: Finalise the installation .

The installation started …..

After installation done the configuration Process starts …

Step 13: The installation and configuration completed .Click Finish .

So finally OBIEE11g has been installed successfully with the below access details for different application :


Type: Simple Install
Installation Details
Middleware Home: E:\OraFMW11g
BI Oracle Home: E:\OraFMW11g\Oracle_BI1
WebLogic Server Home: E:\OraFMW11g\wlserver_10.3
BI Domain Home: E:\OraFMW11g\user_projects\domains\bifoundation_domain
BI Domain Name: bifoundation_domain
Instance Home: E:\OraFMW11g\instances\instance1
Instance Name: instance1
Configure Components
WebLogic Console
http://deba:7001/console
Oracle Enterprise Manager
http://deba:7001/em
Business Intelligence Enterprise Edition
http://deba:9704/analytics
Business Intelligence Publisher
http://deba:9704/xmlpserver
Real-Time Decisions
http://deba:9704/ui

Step 14: After the installation concludes , Weblogic Server and BI Server started , IE browser window opens automatically with the homepage of Oracle Business Intelligence instance .Logging in using the weblogic server User name and password given at Step 8 .

Voici … OBIEE11g installation has been completed successfully .