OBIEE 11g LDAP with HTTPS – SSL Setup


Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol (HTTP) with SSL protocol to provide encrypted communication and secure identification of a network web server. HTTPS connections are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems.

The purpose of the thread is to establish the connection between web via OBIEE11g front-end and the weblogic app server using  HTTPS protocol . The first part of the below thread describes it. The second part of the thread describes how to enable the communication between the OBIEE components,Weblogic Admin and Managed servers via secure SSL protocol. This will ensure the communication using the SSL Certificates.

In my case it is presumed that OBIEE11g Repository already configured with LDAP server based authentication.

Part One – Configuration under Weblogic Admin


Rest of the settings described as below:

1) Login to Weblogic Administration Console .

2) Click on Environments -) Servers -) AdminServer (admin) -) General tab

3) Click Lock and Edit from the left pane.

4) Check the ‘SSL Listen Port Enabled’ as 7002 (this is not default SSL port enabled for all browsers , So please check yours ad modify based on that)

This will ensure that you will be able to access the URL using 7002 port using https://

5) Check also ‘Listen Port Enabled’ if you also want to access BI URL using http://

6) Save the configuration

7) Activate the changes from left pane

8 ) Change the StartStopServices.cmd file from : “<MiddleWare Home>\instances\instance1\bifoundation\OracleBIApplication\coreapplication” as below for below parameters only:

set BI_URL=https://%wls.host%:%wls.mgd.port%/analytics

set wls.mgd.port=7002

9) Restart the Weblogic Servers(Admin/Managed) and BI Servers components

10) Accept the exception in browser when it prompts for it and continue accessing BI URL in secure HTTPS protocol

(Note that once this has been made as https:// you have to access OFWM EM Control page and Weblogic Console page also in https:// going forward)

Part Two – Configuration under OFMW Enterprise Manager

1) Navigate to “<OFMW Home>\user_projects\domains\bifoundation_domain\bin” and take backup of startManagedWebLogic.cmd

2) Edit and locate section with below content::

set JAVA_OPTIONS=-Dweblogic.security.SSL.trustedCAKeyStore=”<OFMW Home>\wlserver_10.3\server\lib\cacerts”

3) Replace the above with below:: (Kindly note that you have to change the OFMW Home path as applicable to your environment)

set JAVA_OPTIONS= -Djavax.net.ssl.trustStore=”<OFMW Home>\wlserver_10.3\server\lib\DemoTrust.jks” -Djavax.net.ssl.trustStorePassword=”

4) Restart all the services of Weblogic (Admin/Managed/opmnctl/Node Manager/Process Manager)

5) Now in the next step System MBean browser will be configured to enable SSL across all BI components

6) Login OFMW Control Enterprise Manager page

7) Invoke the Lock of BIDomain.

8 ) Now we have to Generates the certificates required as a prerequisite for enabling SSL, using the specified passphrase to protect both certificate stores and private keys.This enables internal https calls to the web server. The certificate type (pem or der) must be explicitly stated.

Hence navigate to oracle.biee.admin –> bifoundation_domain –> BIDomain.BIInstance.SecurityConfiguration and click on the BIDomain.BIInstance.SecurityConfiguration MBean.Click on the operation tab click on “generateSSLCertificates”.

9) Enter the details asked for: For my case I have included below:

Passphrase  : dxp12345

webServerCACertificatePath : \wlserver_10.3\server\lib\CertGenCA.der

certificateEncoding is: der

10) Now click on Invoke

11) Return to the path specified in step 7 and click on simpleCommit.

12) Now click on attributes tab of the step 8 and click on ‘SSLEnabled’ .Change the value to True from False and click on Apply.

13) Repeat step 7 to lock and perform step 11 for simpleCommit.

14) Repeat Step 4

15) Return to Step 8 and click on “runSSLReport” ,Invoke it and find the output as below to ensure correct SSL communication across all BI components:

That’s All for today …. See you next time … 🙂 stay tuned !

Bypass Username and Password on Weblogic server Startup


It’s always annoying to put Weblogic server username and password on server start-up and shutdown. It would be nice if the process could be automated. There are two different approach for this. Making this as Windows Service and set it as ‘Automatic’ in Startup Type .Other controllable approach is to manipulate the StartStopservices.cmd file of weblogic to pass the weblogic user name and password variable with a hard-coded predefined value .

To adopt the second approach take the backup of file “StartStopServices.cmd” located in below path:

.\\[MIDDLEWARE_HOME]\instances\instance1\bifoundation\OracleBIApplication\coreapplication

and add the below strings to pass the value of the variables: -DWLS_USER=weblogic -DWLS_PW=weblogic#1

(here “weblogic#1” is my password)

Save the file and start the BI Services. It will take the username and password automatically reading from the file and trigger the start-up activities …

This will save some keystrokes at-least 🙂

weblogic.security.SecurityInitializationException: Authentication for user weblogic denied


I just tried to see what will be the “Start BI Services” prompt while I put wrong username and password and unfortunately  it didn’t return the result as expected if  the input is wrong .

It returns below window and neither Admin , Managed server nor the Node manager process get started(due to obvious security reason and verification failure)  but the window is hanging on prompted nothing… and this is an genuine issue . User is expecting some information at the screen …. which is not the case now … So user needs to press [Control+C] to abort from the screen …

After dig down to the (..\\[Middleware_Home]\user_projects\domains\bifoundation_domain\servers\AdminServer\logs\AdminServer.log) file it returns below errors:

#### <[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’> <> <> <> <1301221608750> weblogic denied>
#### <<WLS Kernel>> <> <> <1301221608766> weblogic.security.SecurityInitializationException: Authentication for user weblogic denied
weblogic.security.SecurityInitializationException: Authentication for user weblogic denied
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:965)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)

Caused By: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User weblogic javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User weblogic denied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:250)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:113)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy22.login(Unknown Source)
at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:91)
at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate(JAASAuthenticationServiceImpl.java:82)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy40.authenticate(Unknown Source)
at weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticate(WLSJAASAuthenticationServiceWrapper.java:40)
at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:348)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:929)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
>
#### <<WLS Kernel>> <> <> <1301221608844>
#### <<WLS Kernel>> <> <> <1301221608844>
#### <<WLS Kernel>> <> <> <1301221608844>
#### <<WLS Kernel>> <> <> <1301221608859>

OBIEE 11g Error: NQS 46028 Unable to get the DLL path for the CLI 10g/11g from the NQSConfig.ini file


The behavior has been found in current release of OBIEE 11g .The same problem persist even if you upgrade the OBIEE 10g RPD to 11g version. The problem has been found during “metadata import using the TNS having OCI 10g/11g drive”r or while “view data in RPD” .

The error line shows :

NQS 46028:  Unable to get the DLL path for the CLI 10g/11g from the NQSConfig.ini file

The DB connectivity seems okay using command prompt or sqlplus option .

‘tnsping <service_name>’ from command return the response perfectly .So it is not the DB issue rather RPD is not being able to connect to DB .

Following the below steps resolved the issue:

1) Copied the ‘tnsnames.ora’ from Oracle DB path “E:\OraDeba11gR2\product\11.2.0\dbhome_1\NETWORK\ADMIN”  to “E:\OraFMW11g\Oracle_BI1\network\admin” doesn’t resolves the issue fully .

2) Create a Environment System variable in windows advanced option of system properties called as ORACLE_INSTANCE and set the value asE:\OraFMW11g\instances\instance1′   (without quote) .

3) Use absolute connection pool information to RPD or if the VALUEOF has been used just need to make sure that it will match exactly with the tnsnames.ora configuration . (having same value for SID or SERVICE_NAME will be fine in some cases)

ORADEBA =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = Oradeba)
)
)

4) Restart the BI Server .

Voila …Everything will be fine  🙂

The reason behind the issue is that, till earlier release of OBIEE 1og doesn’t bundled with the Oracle client hence the required drivers and all the DB connectivity has been done using the default native Oracle driver(having single look-up point for tnsnames.ora) .But  OBIEE 11g itself includes the Oracle client bundle, hence connecting from repository will always try to look-up the tnsnames.ora file inside the Fusion path rather 11g DB network\admin path .So copying the same TNS file across two path resolves the issue.

Hopefully Oracle will fix the issue in later release just to pick the absolute reference of Oracle DB path always.

OBIEE 11g Configuration Assistant On Windows Fails To Start The Cluster Controller


During the installation process of OBIEE 11g(Version: 11.1.1.3.0 [1905]) , the configuration assistant is failing on the cluster manager configuration and get the following error:

OBIEE 11g Configuration Assistant On Windows Fails To Start The Cluster Controller (Obiccs1) With Error Nqserror: 46036

Executing : opmnctl start coreapplication_obiccs1

The installer *.out log ( [date stamp].out ) in C:\Program Files\Oracle\Inventory\logs will show:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1>SET ORACLE_HOME=C:\[middleware_home]\Oracle_BI1

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1>CALL “C:\[middleware_home]\instances\instance1\bin\opmnctl.bat” startproc ias-component=coreapplication_obiccs1
opmnctl startproc: starting opmn managed processes…
================================================================================
opmn id=[hostname]:9501
0 of 1 processes started.

ias-instance id=instance1
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
——————————————————————————–
ias-component/process-type/process-set:
coreapplication_obiccs1/OracleBIClusterControllerComponent/BIClusterController/

Error
–> Process (index=1,uid=993659221,pid=1100)
failed to start a managed process after the maximum retry limit
Log:
none

java.lang.Exception: opmnctl task failed
at oracle.as.install.bi.biconfig.standard.OpmnctlTask.doExecute(OpmnctlTask.java:76)
at oracle.as.install.bi.biconfig.standard.AbstractProvisioningTask.execute(AbstractProvisioningTask.java:79)
at oracle.as.install.bi.biconfig.standard.StandardProvisionTaskList.execute(StandardProvisionTaskList.java:61)
at oracle.as.install.bi.biconfig.BIConfigMain.doExecute(BIConfigMain.java:110)
at oracle.as.install.engine.modules.configuration.client.ConfigAction.execute(ConfigAction.java:335)
at oracle.as.install.engine.modules.configuration.action.TaskPerformer.run(TaskPerformer.java:87)
at oracle.as.install.engine.modules.configuration.action.TaskPerformer.startConfigAction(TaskPerformer.java:104)
at oracle.as.install.engine.modules.configuration.action.ActionRequest.perform(ActionRequest.java:15)
at oracle.as.install.engine.modules.configuration.action.RequestQueue.perform(RequestQueue.java:63)
at oracle.as.install.engine.modules.configuration.standard.StandardConfigActionManager.start(StandardConfigActionManager.java:158)
at oracle.as.install.engine.modules.configuration.boot.ConfigurationExtension.kickstart(ConfigurationExtension.java:81)
at oracle.as.install.engine.modules.configuration.ConfigurationModule.run(ConfigurationModule.java:83)
at java.lang.Thread.run(Thread.java:619)

Checking the Cluster Controller diagnostic log in:

[drive:\[middleware_home]\instances\instance1\diagnostics\logs\OracleBIClusterControllerComponent\coreapplication_obiccs1

will show:

[nQSError: 46036] Internal Assertion: Condition rCCSNodeDB.SetConfigInfo(rCCSNodeDB.GetOurNodeId(), GetClusterServerStartTime()), file server\cluster\clusterserver\Src\CLSMain.cpp, line 262

The main reason for this error is related to network setting on your server.
It is usually reproduced on machines that are configured with DHCP or in a private network (such as a NAT configuration in a virtual machine) and the loopback adapter is not configured or configured correctly.  It generally does not occur with a static IP address configuration; however, it could possibly occur if network domain name server (DNS) resolution is not configured or configured correctly.

From a command prompt, execute the following:

  • nslookup hostname
  • nslookup hostname.domainname
  • nslookup IP address

Each command should resolve without errors. If there are errors, please see your network administrator.

The network configuration needs to be done before the installation starts; however, if you are stuck at the configuration assistant “progress screen”, then a workaround would be to remove any occurrence of a domain name from the following file:

[middleware_home]\instances\instance1\config\OracleBIApplication\coreapplication\NQClusterConfig.INI

After you have changed the file, then click the ‘retry’ button in the configuration assistant.

Lastly, if using a static IP and the above solutions do not resolve the problem then do the following:

  • Update your Windows host file located(32-bit or 64-bit) at:
    [drive]:Windows\System32\drivers\etc\hostto include the machine IP Address and hostname, for example:10.100.100.10  hostname
    10.100.100.10  hostname.domain   (For the machine having Fully Qualified Domain Name (FQDN))

After that click the ‘retry’ button in the configuration assistant for it to continue or run the following command in an administrator command shell to check and start the Cluster Controller before retrying in the configuration assistant.
[middleware home]\instances\biee_instance\bin>opmnctl.bat startproc ias-component=coreapplication_obiccs1

OBIEE 11g Security Policy


There are combinations of different stores (Identity Store,Policy Store,Credential Store) which take active role defining OBIEE 11g security including both Authentication and Authorisation . The below diagram mostly describes the process flow and the integrated components. Description for the flow (with the components) will be available in the same thread updated … keep watching my space 🙂

Identity Store: It is directory server to perform the authentication. It contains user name , password and groups membership information .When a user name and password combination is entered at log in, the authentication provider searches the identity store to verify the credentials provided.

Policy Store: Contains the definition of Application Roles, Application Policies, and the mapping between them.A policy store can be file-based or LDAP-based.Oracle Business Intelligence permissions are granted by mapping users and groups from the identity store to Application Roles and permission grants located in the policy store.

Credential Store: It is responsible for securely storing and providing access to credentials required by Oracle Business Intelligence Applications components internally.For e.g, SSL Certificates stored here.

Two way the authentication can be done . Oracle Weblogic Administrator Console used to manage Embedded directory server (LDAP) to authenticate Users and Groups.Sometimes Oracle Internet Directory is used as authentication provider and OID console is used to manage user and groups.

After the authentication done , the authorisation will be done across Policy store and Credential store where application role and group mapping will be executed .

Application and System related security credential will be store inside the Credential Store (oracle wallet) .