Master Note For Performance Issues in OBIEE

Master Note for Performance Issues in OBIEE (Doc ID 1293374.
1)
OBIEE: Instructions for Setting up the Performance Monitor Counters
(PERFMON) for Windows
Steps to setup the Perfmon counters:
1. Log in to Windows and run Perfmon from the command prompt.
2. The Performance window appears. Hit the + sign next to Performance Logs and Alerts.
Page 1
Page 2
3.Click the + sign to bring the Add Counters display as below.
Page 3
Page 4
Page 5
4. From the Performance Object dropdown box, choose Process.

From Select the instances choose Sawserver as the instance.
From Select Counters from list choose, Private Bytes and Virtual Bytes.
Page 6
Page 7
Repeat the above steps for NQServer also.

Even though we look in to Virtual Bytes and Private Bytes for the OBIEE crashes, it should be noted that there are
several other counters available. Based on the nature of the crash and recommendation from support,
information from other counters are requested.
5. Navigate back to Performance window. On the left pane, click on Performance Logs and Alerts. Click on the
System Overview properties on the right. This will bring up the System Overview Properties. Select the 15 second
intervals as the time for sampling the data.
6. Navigating to the Log files tab, you can select nature of the output as shown below.
Page 8
Page 9
Page 10
Page 11
7. For a comprehensive list of files to be provided to the support when encountering OBIEE crash on Windows is
referenced in the note 784203.1.
Page 12
Page 13
How To Troubleshoot Performance issues in OBIEE 10g? (Doc ID

1096900.1)
TROUBLESHOOTING STEPS
Overview
It is very important to identify the problem component first. It could be BI Server, Presentation Services
or the database. Check the nQQuery.log to see the BI server and database response times. Run the
Page 14
physical SQL (captured from the nQQuery.log for the slow report) directly on the database from the BI
server using tools like SQL*Plus.
If the physical SQL is taking a long time, then the cause of the poor performance is likely to be on the
database. You will need to tune the database to run the SQL efficiently.
If the query runs quickly in the nQQuery.log, then Presentation Services might be taking more time to
display the results. This will happen if you have a significant number of chart or pivot views for the
reports. Check if changing the existing reports to table views improves performance. A good way to
confirm an issue with Presentation Services is to check if the the query is fast in the ODBC client.
Tools To Troubleshoot Performance Issues
nQQuery.log
Set log level 5 to generate detailed information.
Page 15
If you are troubleshooting one query only, you do not need to set log level for all users, you can set it
on a per query basis.
1. Open the report you are troubleshooting in Answers.
2. Go to the "Advanced" tab.
3. Enter:
SET VARIABLE LOGLEVEL=5;
in the "Prefix" form box . Note that the semicolon, ";", is required.
4. Navigate to the Results tab.
Usage Tracking
When you enable usage tracking, statistics for every query are inserted into a database table or are
written to a usage tracking log file.
If the performance problem is with a single report then nQQuery.log is more useful than usage tracking.
nQQuery.log file shows the physical SQL query and logical execution plan. Usage tracking does not have
Page 16
this information. Usage Tracking can be enabled all of the time and can be stored in a table for analysis.
Do not have nQQuery.log at level 5 and above all the time as it will degrade performance.
Perfmon Logs
Perfmon logs gather memory usage statistics. They are especially useful when the entire application
becomes slow some time after start up. Check if the application responds quickly after restarting the
services. If you start seeing issues after some time of using the application, this might indicate you
have memory-related issues. See note 1054009.1 - Instructions for setting up the Performance Monitor
Counters (PERFMON) for Windows, for more information on using Perfmon on Windows.
For Unix, use the following commands to gather performance statistics:
ps -ef|grep <obi process>
vmstat
Page 17
iostat
top
Presentation Services
Use a default value for the prompts in dashboards. This will make sure that the reports will return a
smaller result set as soon as the user enters the application and runs the default page. If this is not
possible to do due to the business requirements, consider adding some links on the dashboard page for
reports, so that the users can click on particular reports as needed.
Check how many rows are being retrieved. The OBIEE should not be used to display hundreds of
thousands of rows, instead use reports that are filtered and aggregated by some attributes. These type
of reports, especially if they are pivot view reports, are bad for performance. Pivot views return all the
rows at once. They do not have paging controls.
Too many pivot and chart views on a dashboard page can make the UI very slow to display. Check for
Page 18
hidden sections and guided navigations that always run.

Make sure the logconfig.xml file is not modified to get enhanced logging. This is not recommended in
production systems. The following note has more information: note 740257.1 - How to Increase SAW
Logging?
OBI Server
DBFeatures
Depending on the ability of the database to handle certain functions, the DB features tab should be set
appropriately in the repository. From the physical layer click on Database to see the DB Features tab. If
one of the database features is turned off, incorrect SQL might be generated by OBI. This might be
expensive in terms of performance. Check if any features have been changed.
Initialization Blocks and Connection Pool
When users log in to the application, several session variable init blocks are run sharing a connection
Page 19
pool. Usually, the users running reports use up the connections in the connection pool and users
logging in face a delay waiting for connections to free up. To overcome this, create a separate
connection pool for the initialization blocks. This can address the issue with Logging in message
being shown for a long time.
Disable unused init blocks and consolidate the other init blocks. It is a good idea to create SQL in the
init blocks to populate many variables instead of having many simple init blocks.
Repository Considerations
The repository should be designed according to best practices. De-normalize dimensional objects,
combine several dimensional attributes into one flat table. This will help reduce joins. Model your
physical tables in a way that should help in creating simpler Business Models. Use Aggregate Tables
when necessary to improve performance. Aggregate tables will need additional ETL, storage and
complex mapping efforts.
Cross-Database Joins
BI Server has the ability to perform cross-database joins or federated queries. This feature allows
Page 20
OBIEE to get data from different databases and then stitch them together into a single report. This can
be expensive in terms of performance when compared to joins within the same database. For crossdatabase joins, tables are normally loaded into memory, and then joined.
Complex Calculations
Although OBIEE has the capability to perform complex calculations in the repository and in Answers,
sometimes, it might improve performance to move these calculations to ETL. If you have complex logic
that involves complex SQL, it is a good idea to consider pushing this logic to ETL rather than handling it
in the repository.
Caching
Caching can be very helpful in alleviating performance issues for complex queries that are used many
times. iBots can be used to seed queries during off peak hours to achieve improved performance. See
the section Strategies for Using the Cache in the Oracle Business Intelligence Server Administration
Guide for more information.
Page 21
Connection Pool and Nqsconfig.ini

Out-of the-box values will work for most customers. For a large number of concurrent users, use the
following guideline for the maximum number of connections in a connection pool:
20% of concurrent users * number of reports per dashboard.
Control long running queries
If you create ad hoc queries in Answers, it is better to set certain timeout parameters in the repositories
and/or in instanceconfig.xml file.
Database
When analysing the nQQuery.log, if the physical SQL is taking a long time, performance tuning needs to
be done on the database. Most databases have many parameters and advanced features that will help
run the queries efficiently. DBAs can help tune the database for these slow running queries. Oracle
Database features like proper indexing, partitioning and Star Transformations can help performance to a
great extent.
Page 22
Other Factors
Sizing of the OBI servers is an important part in implementations when the number of users and the
complexity of the dashboards/reports is significant.
The size of the repository and web catalog might affect the start up times of the services. Remove any
obsolete items from the repository and web catalog.
Sometimes ODBC tracing is enabled to troubleshoot ODBC issues. This can cause huge performance
problems. This is not indicated in any OBIEE log files.
Check for any network issues. It might be necessary to enable network tracing tools if you suspect
problems are caused by a slow network.
Page 23
How To Monitor Oracle Business Intelligence Enterprise Edition (OBIEE)

10g Performance
Page 24
Page 25
Page 26
OBIEE 11g: Master Note for Security/Access Control Issues (Doc ID

1293407.1)
Page 27
OBIEE 11g: How To Move or Migrate Roles, LDAP Users or Groups and
Repository or Web Catalog Contents From Test To Production
Environments (Doc ID 1273913.1)
SOLUTION
To move Business Intelligence components to a new Production environment, please see the
following documentation:
Oracle Fusion Middleware Administrator's Guide11g Release 1 (11.1.1)
Chapter 20 Moving from a Test to a Production Environment
Page 28
Topic : 20.9.1 Moving Oracle Business Intelligence Components to a New Production Environment
To move Application Roles, please see:
Oracle Fusion Middleware Application Security Guide 11g Release 1 (11.1.1)
7.3.2 Migrating Policies with the Command migrateSecurityStoremigrateSecurityStore
To move WebLogic LDAP Users and groups, please see:

Oracle Fusion Middleware Securing Oracle WebLogic Server 11g Release 1 (10.3.3)
Chapter 8 Migrating Security Data
To move the web catalog contents, use the Replication Agent.
Page 29
Please see Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence
Enterprise Edition 11g Release 1 (11.1.1)
17.12 Replicating Oracle BI Presentation Catalogs
The recommendation is to use this process instead of Copy and Paste.
What Authentication Mechanisms are supported in OBIEE 11g (Doc ID

1314339.1)
QUESTIONS AND ANSWERS
Page 30
Authentication Mechanisms Currently Supported in OBIEE 11.1.1.3.0
FMW Security Authentication Mechanism

Users and Groups in LDAP
Certified/Supported LDAP versions as listed in published matrix:
OID (OID Authenticator)
OVD (OVD Authenticator)
AD (AD Authenticator)
OpenLDAP (OpenLDAP Authenticator)
Sun Java System Directory Server version 6.3 (iPlanet Authenticator)

Page 31
eDirectory 8.8. (NovellAuthenticator)
Native Weblogic LDAP (Default Authenticator)
Init Block Security Authentication Mechanism
Users in LDAP, group membership in database
Database Authentication
Custom Authenticators
*multiple AD Domains
EBS authentication
Page 32
64bit platforms (requires PATCH:10395783">10395783)
Authentication That is not Supported in OBIEE 11.1.1.3.0
SiteMinder 6 or OAM as an Authenticator
Group membership in a database
Multiple Authenticators *2(Only the 1st Authenticator provider in the weblogic security > provider list is
used by OBIEE 11.1.1.3
Page 33
*3 Any Authenticator other than those used for the list of certified LDAPs listed above plus the Default
Authenticator.
Use of Asserters and Authenticators combined with Init Block Authentication
BI Publisher Limitations
RTD
Delivers Limitations when using EBS authentication
Hyperion CSS integration
Page 34
For more information on what is certified and suported with this version and later ones, see the
certification matrix.
Note :
* - Not tested
*2 - OBIEE restriction only (BIP and RTD can use multiple authenticators)
*3 - Only those Authenticators related to Identity Stores that have an appropriate implementation of the
OPSS UserRoleAPI may be used. OBIEE restriction only (BIP and RTD can use multiple authenticators).
REFERENCES
NOTE:1314357.1 - What SSO Mechanisms Are Supported In OBIEE 11g
Page 35
Configuring Oracle Business Intelligence Enterprise Edition 11g to work

with SiteMinder SSO (Doc ID 1287479.1)
PURPOSE
This paper examines how to configure Oracle Business Intelligence Enterprise Edition (Oracle BI EE)
11.1.1.3.0 to use SiteMinder version 6 as a Single Sign-on mechanism (SSO).
There are two possible approaches for configuring SiteMinder with Oracle BI EE 11g.
One approach involves using a SiteMinder Asserter (Application Agent) provided by Computer
Associates as a plugin to WebLogic combined with a supported Authenticator such as an Active
Directory Authenticator. This approach is not described in this document and has not been certified by
Oracle at this point. However, customers have successfully configured this approach and it does not
have the same limitations as the approach described in this document.
Page 36
Under certain circumstances, the approach using an Asserter in WebLogic will not be possible. In this
case, the approach described in this document should be followed. For example, if group membership
for users is defined in a database table it is not possible in BI 11.1.1.3.0 to use an authenticator and
asserter approach for authentication.
The approach described in this document is based on an HTTP header provided by SiteMinder that
contains the UserID of an authenticated user. This HTTP header is then used by Oracle BI EE to logon.
The scenario documented assumes that a user population exists in an LDAP directory and that the BI
Server will retrieve group membership information for these users via a single SQL statement executed
by an Initialization Block.
SCOPE
This document describes the steps required to integrate Oracle BI Enterprise Edition with SiteMinder SSO in order
to use SiteMinder to provide single-sign on and secure access to the Oracle BI /analytics URL.
Page 37
This document is aimed at Oracle BI professionals familiar with both SiteMinder and Oracle BI Enterprise Edition
11g. In particular, you should have familiarity with SiteMinder Policy Server and Web Agent as well as HTTP
server functionality and experience of maintaining metadata in the Oracle BI Administration Tool.
Setup is required in both Oracle BI and SiteMinder to perform this integration. This document assumes that a
supported HTTP server has been configured with the appropriate WebLogic plugin in front of the WebLogic server
hosting the web components of Oracle BI. An example of the WebLogic plugin configuration is given for an
Apache HTTP server, links to the documentation for configuring the IIS plugin are provided.
You should be aware that there are some limitations of this approach. The known limitations are as follows:
Access to RTD is not possible using this approach.
Access to BIP via Oracle BI has known issues using this approach which are not planned to be addressed for
Oracle BI 11.1.1.3.0.
Page 38
This document does not address any additional configuration that might be required to configure BI Publisher
for SiteMinder SSO.
Invoking Actions that are configured to propagate user identity to targets has not been certified.
Using Essbase as a data source including propagating the user identity of the BI User to Essbase via a CSS
Token is not certified with this approach.
BISearch is not certified with this approach due to limitations around Secure Enterprise Search support for
SiteMinder
Editing a view in Excel under BIOffice does not work as BIOffice requires an IP address to access analytics
whereas SiteMinder must be configured to protect analytics via a fully qualified hostname
This approach has been tested against the following release versions:
Page 39
Oracle BI EE 11.1.1.3.0
SiteMinder 6.0
DETAILS
Please see attachment : Configuring Oracle Business Intelligence Enterprise Edition 11g to work with SiteMinder
SSO
An Oracle White Paper

April 2011 (Updated July 2011)
Page 40
Page 41
Purpose....................................................................3
Scope.......................................................................3
2.1
Pre-requisites....................................................4
Configuration Instructions......................................4
3.1
Create an Agent on the SiteMinder Policy Server
3.2
Required setup on HTTP Server.......................5
3.3
Web Agent setup on HTTP Server.....................6
3.4
Required setup on SiteMinder Policy Server....6
3.5
Configuration Required in the RPD..................7
3.6
Configure Oracle BI for SSO...........................12
3.7
Configuration on WebLogic to protect direct access
15
3.7.1 Protect direct http access to OBIPS............15

4
Troubleshooting.....................................................16
Purpose
This paper examines how to configure Oracle Business Intelligence Enterprise Edition
(Oracle BI EE) 11.1.1.3.0 to use SiteMinder version 6 as a Single Sign-on mechanism (SSO).
There are two possible approaches for configuring SiteMinder with Oracle BI EE 11g.
Page 2
One approach involves using a SiteMinder Asserter (Application Agent) provided by

Computer Associates as a plugin to WebLogic combined with a supported
Authenticator such as an Active Directory Authenticator. This approach is not
described in this document and has not been certified by Oracle at this point.
However, customers have successfully configured this approach and it does not
have the same limitations as the approach described in this document.
Under certain circumstances, the approach using an Asserter in WebLogic will not be
possible. In this case, the approach described in this document should be followed. For
example, if group membership for users is defined in a database table it is not possible in BI
11.1.1.3.0 to use an authenticator and asserter approach for authentication.
The approach described in this document is based on an HTTP header provided by
SiteMinder that contains the UserID of an authenticated user. This HTTP header is then used
by Oracle BI EE to logon. The scenario documented assumes that a user population exists in
an LDAP directory and that the BI Server will retrieve group membership information for
these users via a single SQL statement executed by an Initialization Block.
Scope
This document describes the steps required to integrate Oracle BI Enterprise Edition with
SiteMinder SSO in order to use SiteMinder to provide single-sign on and secure access to the
Oracle BI /analytics URL.
This document is aimed at Oracle BI professionals familiar with both SiteMinder and Oracle
BI Enterprise Edition 11g. In particular, you should have familiarity with SiteMinder Policy
Server and Web Agent as well as HTTP server functionality and experience of maintaining
metadata in the Oracle BI Administration Tool.
Setup is required in both Oracle BI and SiteMinder to perform this integration. This
document assumes that a supported HTTP server has been configured with the appropriate
WebLogic plugin in front of the WebLogic server hosting the web components of Oracle BI.
An example of the WebLogic plugin configuration is given for an Apache HTTP server, links
to the documentation for configuring the IIS plugin are provided.
You should be aware that there are some limitations of this approach. The known limitations
are as follows:
Access to RTD is not possible using this approach.
Access to BIP via Oracle BI has known issues using this approach which are not
planned to be addressed for Oracle BI 11.1.1.3.0.
This document does not address any additional configuration that might be required
to configure BI Publisher for SiteMinder SSO.
Invoking Actions that are configured to propagate user identity to targets has not
been certified.
Using Essbase as a data source including propagating the user identity of the BI User
to Essbase via a CSS Token is not certified with this approach.
Page 3
BISearch is not certified with this approach due to limitations around Secure
Enterprise Search support for SiteMinder
Editing a view in Excel under BIOffice does not work as BIOffice requires an IP address
to access analytics whereas SiteMinder must be configured to protect analytics via a
fully qualified hostname
This approach has been tested against the following release versions:
Oracle BI EE 11.1.1.3.0
SiteMinder 6.0
Prerequisites
The following prerequisites must be satisfied before you configure Oracle BI 11g with
SiteMinder:
Oracle Business Intelligence 11.1.1.3 must be installed and running
A supported web server (e.g. Apache 2.0, IIS 7.0) must be installed and running
SiteMinder Policy Server 6 must be installed and running on the same internet domain
as the web server
A User Directory should be configured on the SiteMinder Policy Server for both
Authentication and Authorization. This User Directory needs to point to an LDAP
directory that can also be used directly by the BI Server.
Configuration Instructions
Creating an Agent on the SiteMinder Policy Server
Follow the SiteMinder documentation to create an Agent to use with your web server. Here
is a summary of the required tasks:
1. Log on to Policy Server Administration console.
a. Right-click on Agents->Create Agent.
b. In Agent Properties, enter a name for the agent (e.g. Hostname of the machine
hosting the web server and SiteMinder Agent)
c. Optional: Enter a description of a new agent.
d. Click OK.
2. In the left tree view:
a. Select Agent Conf Objects.
b. Right-click on IISDefaultSettings or ApacheDefaultSettings, depending on the
Web server software you have installed, and select Duplicate Configuration
Object in context menu.
Page 4
3. On Agent Configuration Object Properties

a. Give a name to a new configuration object.
b. Double-click on #DefaultAgentName.
c. In the Edit Parameter Dialog, in Parameter Name, remove the comment (#)
character from the property name and change the Value to the same name as
specified for the Agent.
d. Double-click on #BadUrlChars and remove // from BadUrlChars value.
e. Uncomment #BadCssChars and leave Value blank.
f. Double-click on #IgnoreExt.
g. Uncomment
#IgnoreExt
and,
for
Value,
remove
the
following
extensions: .gif, .jpg,.jpeg,.png.
h. Uncomment #LogFileName and, for Value, enter a log file name and location.
i. Set Logfile property to yes if you want to enable agent logging.
j. Click OK.
Setting up the HTTP Server
1. Install web server if not already available, e.g., install Apache 2.0.64
2. Download the appropriate WebLogic plugin for your version of the webserver (you can
find further information on which is the most appropriate plugin from the WebLogic
WebServer
plugins
guide
at
http://download.oracle.com/docs/cd/E14571_01/web.1111/e14395/overview.htm).
3. The latest maintenance releases for the version 1.0 and the version 1.1 plug-ins are
posted on My Oracle Support search for Patch Number 10051798 (for version 1.0 of
the plugins) or Patch Number 10051826 (for version 1.1 plug-ins).
4. This document covers configuring the plugin for Apache 2.0 as an example, which
requires the 1.0 plugins - full instructions on configuring this plugin with the Apache
web
server
are
available
at
http://download.oracle.com/docs/cd/E14571_01/web.1111/e14395/apache.htm
5. Unpack the plugins and find the appropriate version of the plugin for your platform to
the Apache modules directory
e.g. for a 32-bit Linux install, where you unpacked the plugins zip file to
/home/user/WLSPlugins1.0/, the appropriate plugin would be located at
/home/user/WLSPlugins1.0/ linux/i686/mod_wl_20.so
6. Copy the mod_wl_20.so file to the modules directory under your Apache install
directory.
7. Open your <apache install directory>/conf/httpd.conf file and add the following lines
at the end of the file:
LoadModule WebLogic_module
modules/mod_wl_20.so
<Location /analytics>
SetHandler WebLogic-handler
WebLogicHost [fully qualified hostname of the BI Server]
Page 5
WebLogicPort [WebLogic managed Server port default is 9704]

</Location>
<Location /ui>
</Location>
<Location /xmlpserver>
</Location>
<Location /analytics-ws>
</Location>
<Location /biservices>
</Location>
<Location /biofficeclient>
</Location>
8. Restart your web server

webserver:port]/analytics
and
navigate
to
http://[fully-qualified
hostname
for
9. You should see the BI login screen.
Setting up the Web Agent on the HTTP Server

Complete the following steps:
1. Follow SiteMinder documentation to install and configure SiteMinder Web Agent on
your web server. You should include the steps to perform host registration. Any
issues with this step should be directed to SiteMinder support rather than Oracle
support.
TROUBLESHOOTING TIP: CHECK THAT YOUR SITEMINDER P OLICY SERVER SHOWS A NEW
TRUSTED HOST AFTER COMPLETING HOST REGISTRATION VIA WEB AGENT.
2. Restart your web server .

3. Clear the browser cache and cookies.
Page 6
4. Navigate to http://[fully-qualified hostname for webserver:port]/analytics .

5. You should be challenged for SiteMinder authentication.
6. On successful authentication you should be directed to the BI login page.
Setting up the SiteMinder Policy Server
Use the SiteMinder documentation to complete the following steps:
1. Add a Domain that uses the User Directory to be used with Oracle BI.
2. Create a Policy for the Domain. NB in the SiteMinder Domain, do not create a Realm to
protect /, instead, create a Realm for each uri pattern we need to either protect or
unprotect.
3. Create a separate Realm to protect each of the following:
/analytics/saw.dll
/xmlpserver (BI Publisher)
(Oracle
BI
EE)
4. Create a Rule for each of the above Realms and attach to the Domain's Policy.
5. Each Rule should be set to Allow Access with the Web Agent actions of Get and Post.
6. Create
a
separate
Realm
to
unprotect
/analytics-ws
/xmlpserver/services/
/xmlpserver/report_service
/xmlpserver/ReportTemplateService.xls
/xmlpserver/Guest
/biservices (Oracle BI EE Web Services for SOA)
each
of
the
following:
7. Make sure that each Realm created uses the User Directory pointing to the same
Identity Store being used by Oracle BI.
8. Make sure that the SiteMinder Policy is configured to provide the HTTP header
SM_USER, which is the HTTP SiteMinder will typically set by default.
Configuring the RPD File
Open the RPD using the BI Admin Tool and complete the following steps:
1. Create a new LDAP Server connection under Manage > Action > New > LDAP Server.
This needs to point to the same LDAP store that is used by the SiteMinder User
Directory.
2. This is documented in Oracle Fusion Middleware Security Guide for Oracle Business
Intelligence Enterprise Edition, Section A1.1 Setting up LDAP Authentication:
http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10543/legacy.htm#BABFJEJF
3. Test the connection and make sure that it works.
4. Create a new Initialization Block (Manage > Variables > Action > New > Session >
Initialization Block) called authenticationLDAP (the name is not important) as shown
below:
Page 7
5. Create another Initialization Block called authorization as shown:
Page 8
6. The SQL can be anything that returns either a list of groups, or a single group if rowwise initialization is not used.
IMPORTANT NOTES:
In Oracle BI 11g, Init Blocks to set USER and GROUP will only fire when
the user trying to authenticate is not found via an Authenticator
configured in the WebLogic security Realm. Therefore, you should not
configure any authenticators other than the default authenticator when
using the method described in this document. The default authenticator
still needs to be configured and should contain the BI System User and the
OracleSystemUser and related group.
Page 9
When using an Init Block to set the GROUP session variable, the values of
this variable should be set to match by name against one or more
Application Roles configured via Enterprise Manager Fusion Middleware
Control, for example, BIConsumer.
A user will be assigned these
Application Roles and associated permissions during authentication.
Please refer to the documentation in Oracle Fusion Middleware Security

Guide for Oracle Business Intelligence for information about Application
Roles and how to add a new Application Role.
When using init blocks to set USER and GROUP, the association of groups to
Application Roles is performed using the logic described above. Assignment of
users and groups to Application Roles in the policy store is not used in this case.
Any values of the GROUP variable that do not match an Application Role will be
matched by name against the available Web Groups in the BI Presentation
Services Web Catalog.
The user will be assigned these Web Groups and
associated privileges.
Any value of GROUP that does not match an Application Role or a Web Group will
be ignored.
Configuring Oracle BI for SSO

Follow the instructions below to configure Oracle BI to use an HTTP header from SiteMinder
in order to assert the user identity.
1) Login to Enterprise Manager Fusion Middleware Control.
2) Select Business Intelligence and go to the Security tab.
3) Click Lock and Edit.
4) In the SSO drop down, select SiteMinder SSO.
5) Click Apply.
6) Click Activate changes.
7) Configure authenticationschemas.xml as follows:
a) On your BI installation go to mwhome/OracleBI1/bifoundation/web/display
b) Edit authenticationschemas.xml with the following changes (shown in bold):
<?xml version="1.0"?>
<AuthenticationSchemas xmlns="oracle.bi.presentation/authschemas/v1" defaultSchema="UidPwd">




<SchemaKeyVariable source="serverVariable" nameInSource="AUTHSCHEMA" options="trim"/>

<SchemaKeyVariable source="serverVariable" nameInSource="REMOTE_USER" forceValue="SSO"/>
<SchemaKeyVariable source="serverVariable" nameInSource="REMOTE_USER" forceValue="SSO-ATG"/>
Page 10
<SchemaKeyVariable source="httpHeader" nameInSource="SM_USER" forceValue="SSOSiteminder"/>


<SchemaKeyVariable source="url soap" nameInSource="AuthSchema" options="trim"/>

<SchemaKeyVariable source="url" nameInSource="Impersonate" forceValue="Impersonate"/>
<SchemaKeyVariable source="url" nameInSource="NQUser" forceValue="UidPwd"/>

<SchemaKeyVariable source="serverVariable" nameInSource="HSS_REMOTE_USER"
forceValue="HyperionCSS"/>

<SchemaKeyVariable source="cookie" nameInSource="ICX_SESSION" forceValue="EBS-ICX"/>


<AuthenticationSchemaGroup>
<RequestVariable source="url" type="auth" nameInSource="NQUser" biVariableName="UID"
options="trim" />
<RequestVariable source="url" type="auth" nameInSource="NQPassword" biVariableName="PWD"
options="secure"/>
<RequestVariable source="url" type="proxyUserAuth" nameInSource="RUNAS"
biVariableName="NQ_SESSION.RUNAS" />

<AuthenticationSchema name="UidPwd" displayName="Username Password (Browser)"
userID="UID" proxyUserID="NQ_SESSION.RUNAS" />

<AuthenticationSchema name="Impersonate" displayName="Impersonation (Browser)"
userID="IMPERSONATE" proxyUserID="NQ_SESSION.RUNAS">
<RequestVariable source="url" type="auth" nameInSource="Impersonate"
biVariableName="IMPERSONATE" options="required"/>
</AuthenticationSchema>
</AuthenticationSchemaGroup>

<RequestVariable source="soap" type="auth" nameInSource="name" biVariableName="UID"/>
<RequestVariable source="soap" type="auth" nameInSource="password" biVariableName="PWD"
options="secure"/>
<RequestVariable source="soap" type="auth" nameInSource="AUTHINITBLOCKSONLY"
biVariableName="NQ_SESSION.AUTHINITBLOCKSONLY" options="secure"/>

<AuthenticationSchema name="UidPwd-soap" displayName="Username Password (SOAP)"
userID="UID" proxyUserID="NQ_SESSION.RUNAS"/>

<AuthenticationSchema name="Impersonate-soap" displayName="Impersonation (SOAP)"
<RequestVariable source="soap" type="auth" nameInSource="impersonateID"

<RequestVariable source="credStoreUser" type="auth"
nameInSource="oracle.bi.system/system.user" biVariableName="UID"/>
<RequestVariable source="credStorePwd" type="auth"
nameInSource="oracle.bi.system/system.user" biVariableName="PWD" options="secure"/>
<RequestVariable source="url" type="proxyUserAuth" nameInSource="RUNAS"
biVariableName="NQ_SESSION.RUNAS"/>


<AuthenticationSchema name="SSO" displayName="Single Sign On" userID="IMPERSONATE"
proxyUserID="NQ_SESSION.RUNAS" options="noLogoffUI noLogonUI">
Page 11
<RequestVariable source="serverVariable" type="auth" nameInSource="REMOTE_USER"

biVariableName="IMPERSONATE" options="stripWindowsDomain required"/>


<AuthenticationSchema name="SSO-Siteminder" displayName="CA Siteminder"
userID="IMPERSONATE" proxyUserID="NQ_SESSION.RUNAS" options="noLogoffUI noLogonUI">

<RequestVariable source="httpHeader" type="auth" nameInSource="SM_USER"



<AuthenticationSchema name="HyperionCSS" displayName="Hyperion CSS Token"
<RequestVariable source="serverVariable" type="auth" nameInSource="HSS_REMOTE_USER"

<RequestVariable source="serverVariable soap" type="informational"
nameInSource="AOL_LANGUAGE" biVariableName="NQ_SESSION.AOL_LANGUAGE"/>
nameInSource="AOL_TIMEZONE" biVariableName="NQ_SESSION.AOL_TIMZONE"/>
nameInSource="AOL_TERRITORY" biVariableName="NQ_SESSION.AOL_TERRITORY"/>
nameInSource="AOL_TIME_FORMAT" biVariableName="NQ_SESSION.AOL_TIME_FORMAT"/>
nameInSource="AOL_CURRENCY" biVariableName="NQ_SESSION.AOL_CURRENCY"/>
nameInSource="AOL_DATE_FORMAT" biVariableName="NQ_SESSION.AOL_DATE_FORMAT"/>
nameInSource="AOL_DECIMAL_SEPARATOR" biVariableName="NQ_SESSION.AOL_DECIMAL_SEPARATOR"/>
nameInSource="AOL_GROUPING_SEPARATOR" biVariableName="NQ_SESSION.AOL_GROUPING_SEPARATOR"/>
nameInSource="AOL_CLIENT_ENCODING" biVariableName="NQ_SESSION.AOL_CLIENT_ENCODING"/>
nameInSource="AOL_ACCESSIBILITY_MODE" biVariableName="NQ_SESSION.AOL_ACCESSIBILITY_MODE"/>
nameInSource="AOL_NLS_LANG" biVariableName="NQ_SESSION.AOL_NLS_LANG"/>
nameInSource="AOL_NLS_LANGUAGE" biVariableName="NQ_SESSION.AOL_NLS_LANGUAGE"/>
nameInSource="AOL_NLS_SORT" biVariableName="NQ_SESSION.AOL_NLS_SORT"/>
nameInSource="AOL_NUMBER_FORMAT" biVariableName="NQ_SESSION.AOL_NUMBER_FORMAT"/>
nameInSource="AOL_APPLICATION_ID" biVariableName="NQ_SESSION.AOL_APPLICATION_ID"/>
nameInSource="AOL_COLOR_CONTRAST" biVariableName="NQ_SESSION.AOL_COLOR_CONTRAST"/>
nameInSource="AOL_EMBEDDED_HELP_ENABLED"
biVariableName="NQ_SESSION.AOL_EMBEDDED_HELP_ENABLED"/>
Page 12

nameInSource="AOL_FONT_SIZE" biVariableName="NQ_SESSION.AOL_FONT_SIZE"/>

<AuthenticationSchema name="Impersonate-ATG-soap" displayName="Impersonation + Fusion
Applications Interop (SOAP)" userID="IMPERSONATE" proxyUserID="NQ_SESSION.RUNAS">
<RequestVariable source="soap" type="auth" nameInSource="name" biVariableName="UID"/>
<RequestVariable source="soap" type="auth" nameInSource="password"
biVariableName="PWD" options="secure"/>
<RequestVariable source="soap" type="auth" nameInSource="impersonateID"

<AuthenticationSchema name="SSO-ATG" displayName="SSO + Fusion Applications Interop"
userID="IMPERSONATE" proxyUserID="NQ_SESSION.RUNAS" options="noLogoffUI noLogonUI" >
<RequestVariable source="credStoreUser" type="auth"
nameInSource="oracle.bi.system/system.user" biVariableName="UID"/>
<RequestVariable source="credStorePwd" type="auth"
nameInSource="oracle.bi.system/system.user" biVariableName="PWD" options="secure"/>
<RequestVariable source="serverVariable" type="auth" nameInSource="REMOTE_USER"
biVariableName="IMPERSONATE" options="required" />

<AuthenticationSchema name="EBS-ICX" displayName="Oracle eBusiness Applications ICX Session"
options="noLogoffUI noLogonUI" >


<RequestVariable source="cookie" type="auth" nameInSource="ICX_SESSION"
biVariableName="NQ_SESSION.ICX_SESSION_COOKIE"/>
<RequestVariable source="url" type="informational" nameInSource="ACF"
biVariableName="NQ_SESSION.ACF"/>
</AuthenticationSchemas>
IMPORTANT NOTE: THE AUTHENTICATIONSCHEMAS .XML FILE IS AN INTERNAL CONFIGURATION

FILE . ANY CUSTOM CHANGES MADE TO THIS FILE SUCH AS THOSE DESCRIBED IN THIS
DOCUMENT WILL NOT BE HANDLED BY PATCHING OR UPGRADE PROCESSES .
8) Restart Oracle BI Presentation Services
9) Navigate to http://[webserver:port]/analytics. You should be prompted for UID/password
via a SiteMinder login screen or popup dialog.
10)
Enter credentials from your LDAP identity store
11)
You should get access to BI
Configuring WebLogic to prevent direct access to BI
Follow the WebLogic documentation to setup a Connection Filter so that only the web server
protected by the SiteMinder Web Agent and machines running BI components are allowed to
access the WebLogic server:
1. Instructions on configure the default connection filter are contained in the section
entitled Using Connection Filters in the WebLogic documentation at:
http://download.oracle.com/docs/cd/E14571_01/web.1111/e13707/domain.ht
m#SECMG410
Page 13
2. Instructions on writing an appropriate filter rule are contained in the section entitled
Guidelines for Writing Connection Filter Rules in WebLogic documentation at:
http://download.oracle.com/docs/cd/E14571_01/web.1111/e13711/con_filtr.ht
m#SCPRG377
3. Your filter rule should look like this:
[web server IP Address] * [WebLogic Admin Server Port] allow

[web server IP Address] * [WebLogic Managed Server Port] allow
[BI component server IP Address] * [WebLogic Admin Server Port] allow
[Another BI component server IP Address (if it exists)] * [WebLogic Managed
Server Port] allow
0.0.0.0/0 * * deny
Test that you can access the WebLogic Administration Console and BI via the web server, but
not directly from any other machine.
Protecting direct HTTP access to OBIPS

Follow the guidance in the Oracle Fusion Middleware Security Guide for Oracle Business
Intelligence Enterprise Edition, section 4.3 SSO Implementation Considerations
(http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10543/sso.htm#CEGBECIH). For
convenience, an extract from the 11.1.1.3 document is shown below.
When implementing a SSO solution with Oracle Business Intelligence you should consider
the following:
When accepting trusted information from the HTTP server or servlet container, it is
essential to secure the machines that communicate directly with the Oracle BI
Presentation Server. This can be done by setting the Listener\Firewall node in the
instanceconfig.xml file with the list of HTTP Server or servlet container IP addresses.
Additionally, the Firewall node must include the IP addresses of all Oracle BI Scheduler
instances, Oracle BI Presentation Services Plug-in instances and Oracle BI Javahost
instances. If any of these components are co-located with Oracle BI Presentation
Services, then address 127.0.0.1 must be added in this list as well. This setting does
not control end-user browser IP addresses.
When using mutually-authenticated SSL, you must specify the Distinguished Names
(DNs) of all trusted hosts in the Listener\TrustedPeers node.
An example of the configuration required in your instanceconfig.xml file is shown

below:
<Listener>
<Firewall>
<Allow address="[IP Address of 1st machine hosting BI Components]"/>
<Allow address="[IP Address of another machine hosting BI Components if
it exists]"/>
<Allow address="[IP Address of another machine hosting BI Components if
it exists]"/>
</Firewall>

Page 14
</Listener>
Page 15
Troubleshooting
Some common problems and resolutions are listed below.
Issue
/analytics is protected
by SiteMinder, but you
still just see the BI
login page
Hints
Is the UserID being passed to BI via the SM_USER HTTP header
variable?
Turn on some logging in instanceconfig.xml
<FilterRecord writerClassGroup="File"
disableCentralControl="true" path="saw.httpserver.request"
information="16" warning="32" error="32" trace="32"
incident_error="32"/>
<FilterRecord writerClassGroup="File"
disableCentralControl="true" path="saw.httpserver.response"
information="16" warning="32" error="32" trace="32"
incident_error="32"/>
Then restart OBIPS. Try to login again and review the end
of the OBIPS log. Look for HTTP header variables
SiteMinder does not
let your user login
User logs in to BI with
'Act As' by default
User experiences
issues with access to
webcat folder 'My
Folders'
This allows you to review the http headers and cookie values
being received by OBIPS in order to debug SSO
Turn on logging/debug for your Web Agent. Refer to SiteMinder
documentation for details on how to do this.
Try again and review log
In Oracle BI 11.1.1.3.0, if an Init Block is used to set USER
variable, but this variable has a default initializer and the Init
Block is not marked 'Required for Authentication', then 'Act As'
functionality is invoked.
Make sure the Init Block to set USER is marked 'Required for
Authentication'
Make sure the USER variable does not have a default value.
Refresh Guids. Refer to the Oracle BI 11.1.1.3.0 Security Guide
Section 3.2.1.4 for more information.
Make sure that the User does not exist in the WebLogic LDAP as
well as the primary Identity Store.
OBIEE 11g: Configuring Authentication and SSO with

Active Directory and Windows Native Authentication
PURPOSE
Page 16
This paper examines how to configure Oracle Business Intelligence Enterprise Edition
(OBIEE) 11g to use Windows Server Active Directory (AD) as an LDAP Authentication
source and how to use Windows Native Authentication (WNA) in an SSO
environment.
The aim is to describe the configuration and set up required so that users may log on
to their Windows PCs and access OBIEE via a standard web browser with no further
authentication required on their part. Windows Native Authentication and Oracle
Weblogic will be authenticating users to OBIEE using their standard network log ins
without further troubling authorised users of the system.
There are several steps to be performed in Active Directory itself, in the Weblogic
Server hosting OBIEE, in the OBIEE web app and finally on the client machine(s) from
which you wish users to access OBIEE using Windows Native Authentication SSO.
The steps in this document have been tested with OBIEE version 11.1.1.3.0 and
Active Directory 2008 (Windows Server 2008).
SCOPE
OBIEE Administrators. This requires in-depth knowledge of Windows Native Authentication /.
Kerberos workings.
Please note the additional info below regarding the "Reordering Providers" section on
page 7 of the attached white paper doc:
The doc states the following regarding "Reordering Providers": Return to the main
Authentication Provider screen (Security Realms->myrealm->Providers>Authentication). Click the Reorder button, then select the tickbox next to your
ActiveDirectoryAuthenticator (ADAuthenticator in our example), then use the shuttle
control to put the ActiveDirectoryAuthenticator at the top of the list.
Please be aware that if you do this with an AD not configured correctly, the domain
will not start. Therefore, it is recommended to check the new provider
(ADAuthenticator) first. To make sure that the ADAuthenticator is integrated
correctly, restart the Administration server and verify that the Users and Groups
defined into Active Directory are being pulled by the WebLogic Server Authenticator.
To do so, you can explore the Users and Groups tabs in WebLogic administration
console (Security Realms->myrealm->Users and Groups). At this point you should be
able to distinguish the new Active Directory Users and Groups by sorting by the
Page 1
"Provider" attribute.
Important: If the ADAuthenticator is not able to retrieve the users correctly, verify
the Provider Specific details and correct before moving to the next step.
If having issues, please use the following document to assist with troubleshooting:
Document 1390127.1 - OBIEE 11g: How To Check each Configuration Step when
Configuring Authentication and SSO with Active Directory and Windows Native
Authentication
REFERENCES
NOTE:1390127.1 - OBIEE 11g: How To Check each Configuration Step when Configuring
Authentication and SSO with Active Directory and Windows Native Authentication
Attachments
Configuring Oracle BI 11g and Weblogic for Single Sign-On using Kerberos-based Windows Authentication
backed by Active Directory.
(517.5 KB)
An Oracle White Paper

Updated October 2011
Page 2
Introduction...................................................................3
Scenario.........................................................................3
Stage 1: Using Active Directory as a User store...........4
What we need to know...............................................4
Configuring Active Directory Authenticator in Weblogic 4
Reordering Providers..................................................7
Changing User/Group Name Attributes.....................7
Resetting the system user..........................................9
Mapping Active Directory Groups to Application Roles
12
Testing your changes................................................12

Troubleshooting Active Directory Authentication.......12
Stage 2: Windows Native Authentication Single Sign-On with Kerberos14
The KDC Configuration.............................................14
Configure your domain to use Kerberos...................14
Enabling DES Encryption on Windows Server 2008 R2
15
Define a Service Principal Name for the service......16

Weblogic Server Configuration.................................17
Configure Weblogic server to find the KDC server. .18
Create a keytab for your Weblogic server................18
Verify your Kerberos configuration..........................19
Configure Weblogic Login Module...........................20
Configure the Single Pass Negotiate Identity Assertion provider
21
Troubleshooting Kerberos/Weblogic Server Configuration 22

kinit...........................................................................22
klist...........................................................................23
Page 2
Kinit errors:..............................................................24
SPN issues................................................................25
Weblogic Login Module errors.................................25
Stage 3: Configure BI for SSO.....................................27
Configure BI Analytics App to request SPNEGO Authentication27
Configure BI for SSO................................................29
Stage 4: Configuring Client Machines.........................31
Configure the client for single sign on.....................31
Additional settings for SSL with IE8/Windows 7......32
Troubleshooting the client and 401 errors...............32
Weblogic Authentication Logging................................33
References...................................................................34
INTRODUCTION
This paper was previously titled Configuring authentication and SSO with Active Directory and
Windows Native Authentication in Oracle Business Intelligence Edition.
This paper examines how to configure Oracle Business Intelligence Enterprise Edition (Oracle
BI EE) 11.1.1.3.0 to use Windows Server Active Directory (AD) as an LDAP Authentication
source and how to use Windows Native Authentication (WNA) in an SSO environment.
The aim is to describe the configuration and setup required so that users may log on to their
Windows PCs and access Oracle BI EE via a standard web browser with no further
authentication required on their part Windows Native Authentication and Oracle Weblogic
will be doing the hard work to authenticate users to Oracle BI EE using their standard network
logins without further troubling authorised users of the system.
There are several steps to be performed in Active Directory itself, in the Weblogic Server
hosting Oracle BI EE, in the Oracle BI EE web app and finally on the client machine(s) from
which you wish users to access Oracle BI EE using Windows Native Authentication SSO.
Page 3
The steps in this document have been tested with Oracle BI EE version 11.1.1.3.0 and Active
Directory 2008 (Windows Server 2008).
SCENARIO
In order to illustrate the configuration settings that must be set we will use a worked example
of a fictional company XYZ corp. attempting to set up WNA SSO for BI for their internal users.
In this scenario, we have the following elements at play:
1. Active Directory Domain: XYZ Corp have an AD domain, xyzcorp.com which
authenticates all their internal users when users log into the corporate network on
their Windows machines, this is the domain they log into. The AD domain controller is:
addc.xyzcorp.com, controlling AD domain (and Kerberos realm) xyzcorp.com
2. Oracle BI EE Weblogic Domain: XYZ Corp have a Weblogic domain,
bifoundation_domain (the default for Oracle BI EE installs) installed on a server in a
separate network domain bieesvr1.xyz2.com
3. The SysAdmin trying to set all this up is Jo Smith (login jsmith)
4. Jos client machine is xyz47.xyzcorp.com
STAGE 1: USING ACTIVE DIRECTORY AS A USER STORE
Note that this document is based on BI 11.1.1.3 and subsequent releases of BI (including
11.1.1.5) may require slightly different configuration or may offer additional functionality.
Refer to the documentation relating to the release you are using for up-to-date instructions.
Before we can think about having clients authenticate using Single Sign On from machines in
the AD domain, first we must configure Oracle BI EE to recognise the AD domain as a valid
user store to authenticate Oracle BI EE users against. This is a standalone operation in its own
right once we have completed this section, XYZ Corp users will be able to log in to Oracle BI
EE using the same credentials as they use to log in to the Windows domain.
NB this also requires Group information to be stored in Active Directory i.e. once
authenticated in this way, the system will expect users to be organised in AD groups. So users
must be assigned to groups in Active Directory, rather than assigning Group/Role information in
INIT blocks, as was the case in Oracle BI EE 10g. AD groups can then be assigned to
Application Roles in Enterprise Manager to provide access to functions of the system.
What we need to know
To complete this stage, we need the following pieces of information:

Active Directory Server name/port: we need the name of the AD server and the port on
which its listening for LDAP requests (defaults to 389). So in our example scenario this is
addc.xyzcorp.com:389
Base DN: the base LDAP path from which all searches start for users and groups. In our
example scenario, this is: CN=Users,DC=xyzcorp,DC=com
for the Users Base DN and
Page 4
CN=Builtin,DC=xyzcorp,DC=com
for the Groups Base DN.

GUID attribute: attribute in LDAP used to represent the GUID of users and groups (defaults to
objectguid for Active Directory)
DN/Password for LDAP Principal: the LDAP DN for the user we will connect to Active
Directory as when retrieving information about LDAP users. In our example scenario, this is:
CN=jsmith,CN=Users,DC=xyzcorp,DC=com
Well also need the password for the user, obviously. NB the user need not be an administrative
account, but it does need to have sufficient privileges to be able to make arbitrary queries on
the LDAP tree.
Configuring Active Directory Authenticator in Weblogic
Log on to the Weblogic Admin console at http://bieesvr1.xyz2.com:7001/console

On the left hand side of the screen is a Domain Structure menu. Select Security Realms then
on the main page, click on the link for the domain security realm (default myrealm), then the
Providers tab in the main screen, followed by the Authentication subtab.
Click the Lock and Edit button in the top left of the WLS Admin console so we can create a
new authentication provider, then click the New button at the bottom of the table of current
Authentication Providers in the main screen.
Page 5
In the Create New Authenticator screen, type in a suitable name (ADAuthenticator in the
example below) and select the type as ActiveDirectoryAuthenticator, then click OK.
Youll now be taken back to table of authentication providers, with your new provider at the
bottom and the DefaultAuthenticator at the top. Click on the link to DefaultAuthenticator to edit
its properties.
In the Common Authentication Provider Settings screen, change the Control Flag drop-down
from REQUIRED to SUFFICIENT and click on the Save button. For further information on the
implications of these settings, consult the Weblogic Server documentation on Configuring
Authentication Providers at
http://download.oracle.com/docs/cd/E14571_01/web.1111/e13707/atn.htm#i1204568 which
contains a detailed explanation of these settings
Go back to the table of authentication providers and click on the link to your new provider
(ADAuthenticator in the example) to edit its properties.
In the Common Authentication Provider Settings screen, change the Control Flag drop-down
from OPTIONAL to SUFFICIENT and click on the Save button.
Page 6
Next select the Provider Specific tab to bring up the options which apply specifically to
connecting to an Active Directory LDAP authentication store. This is where we need specific
information about the AD store were trying to connect to.
Host
Name of the AD server addc.xyzcorp.com
Port
Port the AD server is listening for LDAP

requests on
389
Principal
the LDAP DN for the user we will connect to

Active
Directory
as
when
retrieving
information about LDAP users
CN=jsmith,CN=Users,DC=x
yzcorp,DC=com
Credential/Con
firm credential
password of the principal specified in the

stage above
welcome1
User Base DN
LDAP query used to find users in AD. Good

practice is to limit this to only the required
LDAP branch.
CN=Users,DC=xyzcorp,DC
=com
User
Name
Attribute
Attribute used to specify user name in AD

defaults to cn. Do not change unless you know
your AD is configured to use a different
attribute for user name. If you do change it,
see the section on Changing user/group name
attributes below
cn
User
class
Object
user
Group base DN
LDAP query to find groups in AD Note that

only groups defined under this path will be
visible to Weblogic. Good practice is to limit
this to include only the required LDAP branch.
CN=Builtin,DC=xyzcorp,DC
=com
GUID attribute
The attribute used to define object GUIDs in

AD. Note that the principal used to search
objectguid
Page 7
LDAP needs read access to this attribute.

Reordering Providers
Return to the main Authentication Provider screen (Security Realms->myrealm->Providers>Authentication). Click the Reorder button, then select the tickbox next to your
ActiveDirectoryAuthenticator (ADAuthenticator in our example), then use the shuttle control to
put the ActiveDirectoryAuthenticator at the top of the list.
Changing User/Group Name Attributes
If your AD server uses a different attribute for User Name you will need to change the User
Name attribute from the default cn. If you do change this attribute, you will also need to
change the settings for AllUsersFilter and UserFromNameFilter as shown in the table below
(using the example of the user name being stored in an attribute called AnOtherUserAttribute)
Attribute Name
Default Setting
Required New Setting
UserNameAttribute
cn
AllUsersFilter
(&(cn=*)(objectclass=person))
(&(AnOtherUserAttribute
=*)(objectclass=person))
UserFromNameFilter
(&(cn=%u)(objectclass=person))
(&(AnOtherUserAttribute =
%u)(objectclass=person))
AnOtherUserAttribute
For UserName Attribute only, you also need to add two properties to the Identity Store
configuration (user.login.attr and and username.attr) to tell it about the attribute youre
expecting to get user name from (it defaults to using uid if none is specified). These settings
are reached via the Security Provider Configuration screen, which is accessed via Enterprise
Manager. Select Weblogic Domain -> bifoundation_domain->(right click) Security -> Security
Provider Configuration.
Page 8
This brings up the main Security Provider Configuration screen, find the Identity Store Provider
section in the middle of the screen and select the Configure button to bring up the Identity
Store Configuration screen. Click on the green + icon to add the new properties to the Identity
Store and as stated above, two new properties need to be added, user.login.attr and
username.attr, both set to the value of the alternate user name attribute
Likewise, if you have a different Group Name Attribute from the default cn, you also need to
change the AllGroupsFilter and GroupFromNameFilter, as shown in the table below (using the
example of the user name being stored in an attribute called AnOtherGroupAttr)
Page 9
Attribute Name
Default Setting
Required Changes
StaticGroupNameAttribute/
DynamicGroupNameAttribute
cn
AllGroupsFilter
(&(cn=*)(|
(objectclass=groupofUnique
Names)
(objectclass=orcldynamicgr
oup)))
(&(AnOtherGroupAttr=*)(|
(objectclass=groupofUniqueName
s)
(objectclass=orcldynamicgroup)
))
GroupFromNameFilter
(|(&(cn=%g)
(objectclass=groupofUnique
Names))(&(cn=%g)
(objectclass=orcldynamicgr
oup)))
(|(&(AnOtherGroupAttr=%g)
(objectclass=groupofUniqueName
s))(&(uid=%g)
(objectclass=orcldynamicgroup)
))
AnOtherGroupAttr
Once youve made all the changes you need to the Provider Specific form, click the Save button
Resetting the system user
On install, Oracle BI EE creates an internal account in the Weblogic LDAP store, BISystemUser,
which is used for service-to-service authentication. The credentials of this account are stored in
the Credential Store under the system.user key. Before you proceed any further you need to
point this system.user key to a set of credentials available in Active Directory.
You can if you wish use the credentials of an existing user, however we would recommend
creating a user account explicitly for this purpose this is not an ordinary user account but
rather a set of credentials used to authenticate services within the system to each other.
Whether you decided to use an existing account or create a new one, the process for changing
the system.user is the same.
In Enterprise Manager, select Weblogic Domain -> bifoundation_domain->(right click) Security
-> Credentials, this brings up the Credential Store configuration screen. Select the
oracle.bi.system map, expand it and select the system.user key. Reset the username and
password to your chosen account credentials the example below shows resetting to a new
bisystemuser account created in Active Directory to replace the BISystemUser account in the
default WLS LDAP referenced by the Default Authenticator.
Page 10
Next you need to ensure your new system user account is part of the BISystem Application
Role.
In Enterprise Manager, select Weblogic Domain -> bifoundation_domain->(right click)

Security ->Application Roles. This brings up the Application Roles configuration screen.
In the drop-down box labelled Application Stripe to Search, select obi and press the
green play button next to the Role Name text box. This will bring up a list of
application roles, one of which should be BISystem.
Select BISystem, and click the Edit button to edit the application role.
In the Edit Application Role screen, scroll down to the Users section and click on the
button marked Add User.
An Add User dialog will appear. Either type your system user username into the User
Name box or for a full list of users, leave it blank.
Again, click the green Play button next to the text box and a list of users will appear in
the Available Users selection box.
Page 11
Select the name of your system user account and use the shuttle control to move it into
the list of Selected Users. Click OK to dismiss the Add User dialog.
Back in the main Edit Application Role Screen, click the OK button in the top right of the
screen to apply the changes to the BI System Application Role.
The final stage of configuring the new system user is to ensure they are part of the Weblogic
Global Admin role.
Log into Weblogic Admin console
Select Security Realms from the left-hand menu, click on the link to your security
realm in the main screen (e.g. myrealm), then select Roles and Policies from the tabs
along the top
Page 12
In the list of roles, click on the plus sign to expand Global Roles, then Roles, then
click on the link marked View Role Conditions for the Admin Role.
Ensure the conditions specified will match your user, either directly, or by virtue of a
group they belong to (e.g. condition may be User = bisystemuser or
Group=Administrators
If you have made any changes, click the Save button. Changes should be applied
immediately
Once you have changed the system user credentials in this way, you will need to restart the BI
Server and BI Presentation Server before these changes will take effect. The easiest way to do
this is via Enterprise Manager select Business Intelligence and Restart All Components.
Mapping Active Directory Groups to Application Roles
Access to functions within Oracle BI is controlled via Application Roles. For a detailed
discussion of the purpose and function of the Application Roles, please see the product
documentation, for now it will suffice to say that in order for your Active Directory domain
users to be able to use the system, they (or rather the groups they are in) need to be mapped to
Application Roles.
The process for doing this is as for assigning the system user to the BISystemRole, described
above, with the exception that we map groups to the role, not just an individual user.
Testing your changes
Once youve restarted Weblogic, check that you can still log into the Weblogic Administrative
Console as the Weblogic admin user you specified during install.
Page 13
Next check you can log in to Oracle BI using the credentials of one of the Active Directory
users.
TROUBLESHOOTING ACTIVE DIRECTORY AUTHENTICATION
One of the most common causes of issues in Active Directory configuration is simply not having
the correct settings. Its useful when trying to diagnose AD LDAP issues to have an LDAP
browser to hand. Using an LDAP browser you can test the Base DNs youre using and the
credentials used to connect to the LDAP store, then drill into how your AD/LDAP store is
organised to, for example, view the attributes your AD store is using, check name hierarchies
(useful for diagnosing Base DN issues) etc.
There are several good LDAP browsers freely available which will help you diagnose using your
Active Directory as an LDAP store in WLS, such as Apache Directory Studio (shown above) http://directory.apache.org/studio/downloads.html or
the more lightweight JXplorer http://jxplorer.org/ .
Page 14
STAGE 2: WINDOWS NATIVE AUTHENTICATION SINGLE SIGN-ON WITH KERBEROS
Additional details on configuring and troubleshooting this functionality can be found in

document 779272.1:
WebLogic Server Support Pattern: Kerberos and SPNEGO Configuration Issues
In simple terms, this feature enables Microsoft clients (typically browsers), authenticated in a
Windows domain, using Kerberos (referred to by Microsoft as Integrated Windows
Authentication), to be transparently authenticated in a Weblogic domain, based on the same
credentials, and without the need to type in their password again. Once users have
authenticated to the Windows domain, they are also transparently authenticacted to the
Weblogic domain.
Three different areas need to be configured for this to happen:
The Client machine
The WLS server
Needs to be configured to access Kerberos, accept Kerberos tickets, and to locate Kerberos cred
Needs to be configured to send a Kerberos ticket when available
The KDC (AD domain controller)
ded to represent the WLS server, and some additional configuration to allow the principal to be related to the HTTP service
The KDC Configuration
A Windows Active Directory domain controller can serve as the Kerberos Key Distribution
Center (KDC) server for Kerberos-based client and host systems. In our example scenario,
there is a Windows domain xyzcorp.com, run by a domain controller, addc.yzcorp.com. Any
user that logs into that domain is authenticated against the AD server running in
addc.yzcorp.com, and so is also recognized by the Kerberos service as a valid principal. A
realm is the Kerberos equivalent of a Windows domain, i.e. an administrative domain. Kerberos
Page 15
realm names are usually written in uppercase and usually consist of the DNS domain name (so
for our example XYZCORP.COM is the realm name)
Configure your domain to use Kerberos
The first step is to locate your domain controller, and ensure that it is enabled to act as a KDC
and that the Kerberos and AD services are running.
Enabling DES Encryption on Windows Server 2008 R2
Windows 7 and Windows Server 2008 R2 by default have DES encryption disabled, so you will
need to explicitly enable it following the instructions in this Microsoft support note:
http://support.microsoft.com/kb/977321
You should follow the instructions in this section on the Domain Controller:
Enable the following Group Policies to apply the DES encryption type to all computers that are
running Windows 7 or Windows Server 2008 R2:
1. In the Group Policy Management Console (GPMC), locate the following location:
Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security
Options
It is also possible to start the Security Policy configuration program executing secpol.msc.
2. Click to select the Network security: Configure encryption types allowed for
Kerberos option.
3. Click to select Define these policy settings and all the six check boxes for the
encryption types.
4. Click OK. Close the GPMC.
Please consider that EVERY PC in the chain must support this kerberos encryption, including
all client machines accessing BI via web browser. Each machine must have this configuration
enabled in order for browsers to get and send kerberos tokens.
Create an account for the WLS server
Your Weblogic server does not need to belong to the network domain the AD domain controller
administers (xyzcorp.com, in our example) but it does need to be able to identify itself to the
KDC. For your Weblogic server to use Kerberos, you must first establish a Kerberos principal,
which is based on a standard AD account. This principal will represent your WLS server in the
Kerberos
realm.
So first, you need to create a user account in Active Directory for your Weblogic server instance
(NB you create a user not a machine even though this principal will represent the Weblogic
Server). While you are free to name the user anything you like, we recommend naming the user
by the short name of your Weblogic server host in order to differentiate this account from
Page 16
regular user accounts and also to enable you to more easily distinguish between multiple
Kerberos principal accounts representing different Weblogic servers. So in our example
scenario, the WLS server instance is running on bieesvr1.xyz2.com so we will create a user
named bieesvr1.
On the Active Directory Domain Controller, from the Start Menu, run Programs>Administrative Tools->Active Directory Users and Computers tool.
Right click on the Users node and select New->User. (Do not select Machine)
Type the same user name in the Full Name field and in the Logon Name field. (i.e.
this is where we would type in bieesvr1), then click Next
Enter a password (and of course, memorize it), verify that none of the password options
are checked and click Next.
Click Finish.
Next you must ensure your new user complies with the Kerberos protocol: the encryption type
for this account must be DES, and the account must require Kerberos pre-authentication.
Go back to the Active Directory Users and Computers tool, and locate your newly
created user in the Users tree in the left hand pane.
Right-click on the user node, and select Properties.
Page 17
Click on the Account tab. Check the box: Use DES encryption types for this account.
Ensure Do not require Kerberos pre-authentication is not checked (i.e. we DO require
Kerberos pre-authentication)
Click OK.
Historically, it has been reported that setting the encryption type may corrupt the
password. It is recommended at this point to reset the password of this user, by right
clicking on the user, selecting Reset Password and re-entering the same password
specified earlier.
Define a Service Principal Name for the service
An SPN (Service Principal Name) is a unique name that identifies an instance of a service and
is associated with the logon account under which the service instance runs. It provides a
mapping between the AD user account and the service instance and allows for the multipart
name format used in Kerberos principal names (e.g. HTTP/hostname.dns.com). The SPN is used
in the process of mutual authentication between the client and the server hosting a particular
service. The client finds a computer account based on the SPN of the service to which it is
trying to connect.
So, in our example scenario, we need to link the service that will be invoked by our clients to
the account we just defined for our Weblogic server. The service invoked by the browser clients
is HTTP/bieesvr1.xyz2.com, which needs to be linked to the bieesvr1 AD account we just
created. After the SPN is created, for a server to use Kerberos, the user must setup a keytab
(key table) on the host running the server (see next section).
NB this step is not required if your Weblogic server is running on Linux/Unix as the creation of
the keytab file using the ktpass utility on the AD domain controller (see below) will also create
the SPN. Explicitly using setspn is only required if your Weblogic server is on a Windows
machine.
setspn is the command line tool that allows us to do this, it is part of the Windows Resource Kit;
if you do not already have it installed on your AD controller, you should install it now from the
Windows Support Tools CD or download it from the Microsoft website.
On the AD server, run the setspn command using the following syntax:
setspn A HTTP/[fully qualified name of Weblogic server] [AD account we wish to link
to the service]
and
setspn A HTTP/[short hostname of Weblogic server] [AD account we wish to link to the
service]
so in our example scenario, that would be

setspn A HTTP/bieesvr1.xyz2.com bieesvr1
setspn A HTTP/bieesvr1 bieesvr1
Page 18
You can check what SPNs are associated with your user account, using the command setspn L
<account-name>,
e.g.
setspn -L bieesvr1
will return
Registered
ServicePrincipalNames
HTTP/bieesvr1.xyz2.com
for
CN=bieesvr1,CN=Users,DC=xyzcorp,DC=com:
HTTP/bieesvr1
It is important to check this as Windows does not handle duplicate or misassigned SPNs well.
If the same service is linked to a different account in the AD server, the client will not send a
Kerberos ticket to the server.
Note that If you have a frontend web server (for example Oracle Http Server) you must register
it with setspn, but the keytab described in the section below is only necessary on the weblogic
server (on every weblogic server if you have a cluster).
Weblogic Server Configuration
The server hosting the Weblogic server may or may not run on a Windows platform, and may or
may not belong to the same internet domain as the KDC and the client browser machine. The
important configuration requirements are:
The server has to be represented in the Kerberos realm via the principal we defined in the
previous section
The server needs to be able to access the KDC.
The Weblogic server process needs to have access to the credentials of its account in
Kerberos.
The Weblogic server must be configured to recognize a SPNEGO token in a request.
Configure Weblogic server to find the KDC server
On Windows machines, create a file named krb5.ini, in the C:\Windows directory; on Unix
machines, the file is called krb5.conf instead of krb5.ini, and the default location is in
/etc/krb5/. It may not be possible in all environments to create the file at this location, in which
case on Linux machines you can point to an alternate location with the environment variable
KRB5_CONFIG
and
for
Java
command
lines
the
parameter
-Djava.security.krb5.conf=<path>/krb5.conf. This file contains the Kerberos configuration
information necessary for the Weblogic server to locate and communicate with the Kerberos
server
and
must
have
these
contents:
[libdefaults]
default_realm = <Your Kerberos realm remember all caps>
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
ticket_lifetime = 600
Page 19
[realms]
<Your Kerberos realm remember all caps>
= {
kdc = <IP address of the KDC/AD server>

admin_server = <host name of the KDC/AD server>
default_domain = <Windows domain name in caps>
}
[domain_realm]
.<DNS domain name suffix, starting with .> = <Your Kerberos realm remember all
caps>
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
So, in our sample scenario, this would look like

[libdefaults]
default_realm = XYZCORP.COM
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
ticket_lifetime = 600
[realms]
XYZCORP.COM = {
kdc = 10.221.61.122
admin_server = addc.xyzcorp.com
default_domain = XYZCORP.COM
}
[domain_realm]
.xyzcorp.com = XYZCORP.COM
[appdefaults]
autologin = true
Page 20
forward = true
forwardable = true
encrypt = true
Create a keytab for your Weblogic server
The next step is to create a keytab file for use on the Weblogic server. For Windows machines
this is accomplished with the keytab utility on the Weblogic server, for Unix machines the
equivalent is ktpass on the AD domain controller. Ktab is part of the JDK, and you should use
the JDK that comes with your Oracle BI EE install.
The keytab file produced must be generated or placed in the Weblogic domain directory
Windows
The syntax for ktab on Windows is

ktab.exe
keytab-file-name
account-name@REALM.NAME
(NB realm name must be specified in capitals). So in our example (assuming we have Oracle BI
installed at C:\OBI, and a Weblogic domain named bifoundation_domain, which is the default):
C:\OBI\jdk160\bin\ktab.exe k C:\OBI\user_projects\domains\bifoundation_domain\bieesvr1.keytab
a
bieesvr1@XYZCORP.COM
The ktab utility will prompt you for the password to the account, you should provide the
password to the AD account you created for your service principal in the preceding section.
Unix/Linux
NB Unlike in the Windows example where ktab is run on the Weblogic server, for Unix/Linux
machines you should run the ktpass command on the AD domain controller as it will both
create the keytab and the SPN simultaneously.
The
ktpass
-crypto
syntax
princ
for
ktpass
is
slightly
different
HTTP/<wls-server-name>@<REALM-NAME>
all
-ptype
than
-mapuser
KRB5_NT_PRINCIPAL
that
used
<account-name>
out
for
pass
ktab:
password
<keytab-file-name>
(NB again, realm name must be specified in capitals). So in our example scenario we would use
ktpass.exe princ HTTP/bieesvr1.xyz2.com@XYZCORP.COM mapuser bieesvr1 pass password -crypto
all
-ptype
KRB5_NT_PRINCIPAL
out
C:\bieesvr1.keytab
NB unlike in the Windows example above you should provide the password on the command
line.
The keytab file must then be copied to the Weblogic server domain directory i.e. in our example
scenario:
/opt/obi/user_projects/domains/bifoundation_domain/bieesvr1.keytab
Verify your Kerberos configuration
It is crucial at this specific point to verify that Kerberos is set up properly and that your
principal and keytab are valid. If they are not, then there is no point in going further in the
Page 21
process.
kinit is a utility provided with the JDK on Windows and as part of the kerberos (or kerberostools) package on Linux that can be used to validate your Kerberos configuration. NB at this
stage, we are just validating that the server itself can communicate properly with the KDC, i.e.
this is machine-level test, not a test of Weblogic config.
If your principal was created properly, you should be able to request a TGT (ticket Granting
Ticket) from Kerberos using that principal. If the keytab file was generated properly, then you
should be able to use this file instead of the password of your account. kinit tests both
simultaneously.
The
syntax
is
kinit
<keytab-file>
<account-name>
NB in Unix/Linux, the principal name will be fully qualified in the form HTTP/<wls-server> and
the syntax differs slightly in that the V switch should be added or else it will complete silently
So,
in
our
example
scenario
for
Windows
the
synatx
is:
C:\OBI\jdk160\bin\kinit k t C:\OBI\user_projects\domains\bifoundation_domain\bieesvr1.keytab
bieesvr1
By default, on the Windows platform a cache file named <USER_HOME>\krb5cc_<USER_NAME> will be

generated
and
the
output
should
be
something
similar
to:
New ticket is stored in cache file C:\Documents and Settings\jsmith\krb5cc_jsmith
And for Linux the example syntax would be

kinit V k t /opt/obi/user_projects/domains/bifoundation_domain/bieesvr1.keytab
HTTP/bieesvr1.xyz2.com
If you got to this step without any error, then you have successfully configured the KDC.
Otherwise, please consult the section on troubleshooting Kerberos configuration.
Configure Weblogic Login Module
JAAS allows dynamic configuration of login modules, so we need to create a JAAS configuration
file that specifies the Kerberos login modules. Create a file named krb5Login.conf in the
Weblogic domain directory (i.e. in our example scenario this would be at
C:\OBI\user_projects\domains\bifoundation_domain\krb5Login.conf) with the following contents:
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal=<Service principal account>@<Kerberos realm>
keyTab=<Name of the keytab file we created, relative to Weblogic domain directory>
useKeyTab=true
storeKey=true
debug=true;
};
Page 22
So, in our example scenario, this would become:

principal=bieesvr1@XYZCORP.COM
keyTab=bieesvr1.keytab
useKeyTab=true
storeKey=true
debug=true;
};
Note that in practice it has been observed that different formats of specifying the principal
work differently on different JDKs and/or AD Domain Controllers. For example, in some
instances the following has been used successfully:
principal=HTTP/bieesvr1.xyzcorp.com@XYZCORP.COM
keyTab=bieesvr1.keytab
useKeyTab=true
storeKey=true
debug=true;
};
Note that we specify just the name of the keytab file as both the keytab file and the
krb5Login.conf file are in the Weblogic domain directory. Also note the quotation marks around
the principal name these are required.
Next, we need to specify the file location as a startup option in the WLS java command line:
-Djava.security.auth.login.config=krb5Login.conf
and
specify
the
two
following
additional
java
options:
-Djavax.security.auth.useSubjectCredsOnly=false
-DWeblogic.security.enableNegotiate=true
These settings can be specified in the Weblogic domain environment script which can be found
in the bin subdirectory under the Weblogic domain dir. So, in our example scenario, we would
edit the file
C:\OBI\user_projects\domains\bifoundation_domain\bin\setDomainEnv.cmd
Page 23
Find
set
the
line
that
JAVA_PROPERTIES=%JAVA_PROPERTIES%
and
before
it,
insert
reads:
%EXTRA_JAVA_PROPERTIES%
this
line:
set EXTRA_JAVA_PROPERTIES=-Djava.security.auth.login.config=krb5Login.conf
-Djavax.security.auth.useSubjectCredsOnly=false
-DWeblogic.security.enableNegotiate=true
-Dsun.security.krb5.debug=true %EXTRA_JAVA_PROPERTIES%
N.B. you will, of course, need to restart the Weblogic Admin Server and any/all Managed
Servers for these settings to take effect.
If your Weblogic server is on Linux and you were not able to place the krb5.conf file in the
default location (usually /etc/krb5 in Oracle Unbreakable Linux, but check details if you are
using
an
alternate
distribution),
you
also
need
to
specify
the
parameter
-Djava.security.krb5.conf=<path>/krb5.conf before the %EXTRA_JAVA_PROPERTIES%.
Configure the Single Pass Negotiate Identity Assertion provider
In order to enable Weblogic to extract a SPNEGO/Kerberos ticket from incoming requests, you
need to enable the NegotiateIdentityAsserter provider, which will use the login config and
keytab file we set up in the previous section to communicate with the Kerberos server.
Log in to Weblogic Admin Console
Select Security Realms->myrealm, then Providers->Authentication Providers
In the Change Centre at the top left, click Lock and Edit, then on the Authentication
Providers screen, click New
In the New Authentication Provider screen, type in a name for your Asserter and select
NegotiateIdentityAsserter from the dropdown box, then click OK
In the Change Centre at the top left, click Activate Changes to save your changes. The
changes will not be applied (and so your new Asserter will not be activated) until you
restart the Weblogic Admin Server and all Managed Servers
Return to the main Authentication Provider screen (Security Realms->myrealm>Providers->Authentication)
Page 24
Click the Reorder button, then select the tickbox next to your NegotiateIdentityAsserter
(SPNEGOAsserter in our example), then use the shuttle control to put the
NegotiateIdentityAsserter second in the list behind the ActiveDirectoryAuthenticator we
configured earlier.
TROUBLESHOOTING KERBEROS/WEBLOGIC SERVER CONFIGURATION
There are a series of config settings on both the KDC and Weblogic Server which all have to be
correct in order for the overall WNA/SSO authentication to work, and it is the most likely area
to go wrong. Hence in this section, we will attempt to give an overview of some of the tools and
techniques you can use to pinpoint likely problem areas.
kinit
kinit is a tool provided with the JDK on Windows or in the kerberos utilities on Linux used to
obtain and cache Kerberos ticket-granting tickets and is used to validate that the system on
which Weblogic Server is installed can communicate with the KDC. This validates the systemwide krb5.ini file (e.g. C:\Windows\krb5.ini) and the keytab file you have created.
The syntax is:
kinit
So,
in
<keytab-file>
our
example
<account-name>
scenario:
C:\OBI\jdk160\bin\kinit k t C:\OBI\user_projects\domains\bifoundation_domain\bieesvr1.keytab
bieesvr1
By default, on the Windows platform a cache file named <USER_HOME>\krb5cc_<USER_NAME> will be

generated
and
the
output
should
be
something
similar
to:
New ticket is stored in cache file C:\Documents and Settings\jsmith\krb5cc_jsmith
(On Unix platforms a cache file named/tmp/krb5cc_<uid> will be generated. <uid> is the user
identification number of the user logged into the system.)
On Windows, you can also run kinit with a debug option, and get extensive Kerberos debugging
information, by running the Kinit class with debug options (the kinit binary is simply a wrapper
to invoke the class). In our example scenario, this would look like:
C:\OBI\jdk160\bin\java.exe
sun.security.krb5.internal.tools.Kinit
-Dsun.security.krb5.debug=true
This will generate a much more verbose output, with Kerberos debugging information so that if
you do not get the expected New ticket is stored in message, you should run the Kinit
debug class shown above for information as to what failed and why.
You can achieve the same if using jrockit using a command like the one below:
<Middleware_home>\jrockit-jdk1.6.0_26-R28\bin\kinit -J-Dsun.security.krb5.debug=true -k -t
<keytab-file> <account-name>
klist
klist is also supplied with the JDK on Windows or in the kerberos utilities on Linux and is a very
useful tool for displaying (and if necessary purging) tickets already granted and cached in
Page 25
communicating with the KDC. It can be useful for purging old tickets (e.g. if you have changed
your keytab or config settings and want to make sure youre not still using old cached tickets)
and ensuring that the tickets you have been getting are related to the correct service name. It
is equally useful on both the Weblogic server and on the client machine from which youre
trying to authenticate using SSO. The syntax is:
<path to JDK>/bin/klist (e.g. C:\OBI\jdk160\bin\klist.exe)
to just list the current login tickets, or with the purge option to delete them e.g.:
C:\OBI\jdk160\bin\klist.exe purge
Sample output from klist run without the purge flag (i.e. in simple list mode) on a client
machine might look like this:
Current LogonId is 0:0x71c30
Cached Tickets: (3)
#0>
Client: bjones @ XYZCORP.COM

Server: krbtgt/XYZCORP.COM @ XYZCORP.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 12/6/2010 4:27:22 (local)
End Time:
12/6/2010 14:27:22 (local)
Renew Time: 12/13/2010 4:27:22 (local)

Session Key Type: RSADSI RC4-HMAC(NT)
#1>

Server: HTTP/bieesvr1 @ XYZCORP.COM
KerbTicket Encryption Type: Kerberos DES-CBC-MD5
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 12/6/2010 4:36:55 (local)
End Time:
12/6/2010 14:27:22 (local)
Renew Time: 12/13/2010 4:27:22 (local)

Session Key Type: Kerberos DES-CBC-MD5
#2>

Server: LDAP/addc.xyzcorp.com/xyzcorp.com @ XYZCORP.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_delegate
Start Time: 12/6/2010 4:27:23 (local)
End Time:
12/6/2010 14:27:22 (local)
Renew Time: 12/13/2010 4:27:22 (local)
Page 26
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Like kinit, klist can also be run as a Java class on Windows, to enable verbose debug output:
C:\OBI\jdk160\bin\java.exe -Dsun.security.krb5.debug=true
sun.security.krb5.internal.tools.Klist
It can also be used to list the entries in a keytab file e.g.

klist -k bieesvr1.keytab
Keytab name: FILE: /opt/obi/user_projects/domains/bifoundation_domain/bieesvr1.keytab
KVNO Principal
---- -------------------------------------------------------------------------3 HTTP/bieesvr1 @ XYZCORP.COM
3 HTTP/bieesvr1 @ XYZCORP.COM
Kinit errors:
Cannot contact any KDC for requested realm while getting initial credentials
Your computer successfully sent out a request, but the KDC never responded. The network is
probably down between your host and the KDC, or you are behind a firewall. Double-check the
KDC settings in the krb5.ini (krb5.conf) file.
javax.security.auth.login.LoginException: KrbException:: Pre-authentication information was invalid (24) - Preauthentication failed
The principal exists in Kerberos but the password is wrong. This is a password problem.
Double-check the validity of your keytab, or of the password that you have entered.
If you are confident about your password, refreshing the password for the user in the AD server
may solve the problem. (By right clicking on the user in AD user manager, selecting Reset
Password and re-entering the same password specified earlier).
Another reason for that problem to happen is if another principal with the same short name
exists in the AD server (i.e. different DNs but same CN). This is likely to happen if the host that
runs WLS already belongs to the network domain, then it will have an account in the
Computers section, and a password there too. In that case, you will run into SPN issues as well.
The best way out of this is to create a new user account, with a different CN, and map the HTTP
SPN to the new account, (and remove the SPN from any other account).
Exception: krb_error 0 Cannot retrieve key from keytab for principal xxx No error
The keytab file you have provided was not created for that principal, or there is no such file
(this will be easy to check). If the file does exist, either the principal does not exist in the AD
server or this keytab is not for the specified principal. In order to verify this, run the command
without a keytab: kinit xxx (where xxx is the name of your principal). It will prompt you for a
password; enter the password you believe to be correct for the principal.
If the answer is :Exception: krb_error 6 Client not found in Kerberos database (6), then the
principal does not exist at all.
Page 27
If the answer is: Exception: krb_error 24 Pre-authentication information was invalid (24), then
the principal exists but the password is incorrect.
If the answer is : New ticket is stored in cache file Then the password you know is correct,
and probably the keytab file you have provided in the previous command is invalid, or belongs
to a different principal.
javax.security.auth.login.LoginException: KrbException: KDC has no support for encryption type (14)
Your KDC does not support the encryption type requested. Typically, the encryption type is
specified in the krb5.ini (or krb5.conf in Unix) Kerberos configuration file. Please choose
an encryption type that is supported by the KDC you are using. The common encryption types
are : DES_CBC_MD5 and DES_CBC_CRC.
The default encryption type entries, default_tkt_enctypes and default_tgs_enctypes are optional.
However, if the Kerberos client receives an encryption type error, set the default encryption
type to either DES-CBC-MD5 or DES-CBC-CRC on both sides of the dialog.
If your Active Directory Domain Controller is on Windows Server 2008, DES encryption is
disabled by default, so you will need to explicitly enable it as noted in the section Enabling
DES Encryption on Windows Server 2008 R2 above.
SPN issues
If your Weblogic server log shows the following:

<Apr 26, 2005 1:29:12 PM PDT> <Debug> <SecurityDebug> <000000> <Found NTLM token when
expecting SPNEGO>
It means that the Weblogic server was ready to extract a SPNEGO token but could not find one
in the request sent by the browser. There are two likely explanations:
The browser is not set up correctly to send a SPNEGO token please see the next
section on browser configuration.
Something is wrong in your SPN definition. Either no SPN was defined for this service,
or you have duplicate SPNs, which means that the SPN resolved in more than one
principal
associated
with
it.
You
can
verify
this
by
typing:
LDIFDE
-d
DC=yourdomain
,DC=com
-f
c:\export.txt
This will export the list of AD objects to the file export.txt. Then look for your service
(HTTP/<WLS-host>) in the values of the attribute ServicePrincipalName. If it shows
more than once or not at all, you need to rectify the problem. Please see the suggestions
from
Microsoft
support:
http://technet.microsoft.com/en-us/library/cc772897(WS.10).aspx
Weblogic Login Module errors
Once we have established that the system itself can login to/communicate with the KDC, there
may still be errors in the krb5Login.conf file that we placed in the Weblogic domain directory.
The most common manifestation of this is an error message in the Weblogic server logs:
Page 28
Exception: Weblogic.security.providers.utils.NegotiateTokenException:
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT
credentials failed!)
This is a catch-all exception that covers anything that might have gone wrong during the
process of the WLS server loading the JAAS configuration from the krb5Login.conf file to
reading the keytab and successfully decoding the SPNEGO ticket. So there can be many
reasons why you would get this exception. Usually there will be reason nested somewhere in
the stack trace, such as:
Caused by: javax.security.auth.login.LoginException: No LoginModules configured for
com.sun.security.jgss.accept
The cause can give a little more information regarding when in the process something went
wrong. In the example above, the LoginModuleConfiguration was not successful, so you need to
look for problems in krb5Login.conf. Common reasons for this error include:
The krb5Login.conf file could not be found or opened Double check the way you have
specified it to WLS, double check existence and permissions.
Some wrong syntax inside the krb5Login.conf This type of problem will not be reported
in detail, but as a consequence, the JAAS login configuration will not be loaded, and the
exception will be thrown. Go over each and every word of the krb5Login.conf file, and
compare it to the one specified in this document.
Other causes can be an invalid or inexistent keytab file, mismatch in encryption types, but most
of these would have been discovered at the kinit phase. So, the most probable cause for this
exception is around the krb5Login.conf file.
Page 29
STAGE 3: CONFIGURE BI FOR SSO

Configure BI Analytics App to request SPNEGO Authentication
Finally on the Weblogic server, we need to change the deployment descriptors for the BI
analytics application to apply a security constraint so that it will request the SPNEGO/Kerberos
authentication information.
Locate the analytics.ear in your Oracle BI Home directory. This will be <Oracle BI Install
Dir>/Oracle_BI1 (or whatever you chose to name your Oracle BI Home on
install)/bifoundation/analytics.ear. So in our example scenario, this would be located at:
C:\OBI\Oracle_BI1\bifoundation\jee\analytics.ear
Make a backup copy of the ear file so that you have a restore point to refer back to (and
revert to) if needed
Unpack the analytics.ear file to a temporary location, using the Java jar tool. Use the
command line options xvf to extract the contents to the current working directory (e.g.
C:\OBI\jdk160\bin\jar xvf C:\OBI\Oracle_BI1\bifoundation\jee\analytics.ear), so you will
probably want to create a temporary directory to hold the unpacked contents and
change into that directory before running the command. The ear contains a META-INF
directory and two war files, analytics.war and analytics-ws.war
In the META-INF directory, there is a MANIFEST.MF file, add the following line to the
end of the file:
Weblogic-Application-Version: 11.1.1
Note that it has been reported that when re-applying these steps following the application
of BI 11.1.1.5.0 BP2 patches, this step to update MANIFEST.MF should be ignored as the new
analytics.ear file is not versioned.
Unpack the analytics.war file to a second temporary location; it contains a default.jsp file
and five top-level directories, one of which is called WEB-INF.
Create a new deployment descriptor file in WEB-INF called weblogic.xml. It should

contain the following:
<?xml version = '1.0' encoding = 'windows-1252'?>

<weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.bea.com/ns/weblogic/weblogic-web-app
http://www.bea.com/ns/weblogic/weblogic-web-app/1.0/weblogic-web-app.xsd"
xmlns="http://www.bea.com/ns/weblogic/weblogic-web-app">
<context-root>analytics</context-root>
<security-role-assignment>
<role-name>SSORole</role-name>
<principal-name>BIUsers</principal-name>
Page 30
<principal-name>BIAdmins</principal-name>
</security-role-assignment>
</weblogic-web-app>
Note that in practice, it has been observed that different platforms require slightly different
formatting of the text above. Make sure there are no hidden characters and check the
quotes are correct for your platform. In particular, it has been noticed that cutting and
pasting out of a document does not always result in a successful weblogic.xml.
The name of the role is not important, so long as it is consistent in this file and in sections
we will add in the web.xml file in the next step. The principal name element(s) should refer
to the Active Directory groups (not Application Roles) you wish to allow access to the
application. NB all BI users will need to be members of at least one of the these groups.
Also, in the WEB-INF directory, you will find an existing file called web.xml. Edit web.xml
and look for a section like this:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
Replace this section with the following:

<security-constraint>
<web-resource-collection>
<web-resource-name>BI Analytics</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
</security-role>
The name of the role is not important, so long as it is consistent in this file and in the
Weblogic.xml file.
Once you have edited both files, repackage the analytics.war file, again using the jar
tool, and, in turn, repackage that back into the analytics.ear file.
Page 31
Next we need to redeploy the analytics.ear file to Weblogic so that the new security constraint
will come into effect.
Log into Weblogic Admin Console and click on Deployments
In the Change Centre at the top left, click Lock and Edit
Find the analytics app and click the tickbox next to it, then click on the Update button
In the Update Application Assistant screen, make sure the deployment path is the same
as the ear file you just updated, if not change the path
Click Next, then Finish
Page 32
In the Change Centre at the top left, click Activate Changes to save your changes. If
you have not already done so, restart the Weblogic Admin Server and all Managed
Servers
Configure BI for SSO
Finally, we must tell the core BI Application to accept SSO-authenticated clients from Weblogic.
Log in to Oracle Enterprise Manager (e.g. http://bieesvr1:7001./em/)
In the menu on the left hand side select Farm-> Business Intelligence -> coreapplication
Then on the main screen, select the Security tab
Click Lock and Edit Configuration in the Change Centre section at the top of the
screen
Tick the Enable SSO tickbox and select Windows Native Authentication in the
dropdown
Click Apply at the top right of the Security screen
Click Activate Changes in the Change Centre
Page 33
STAGE 4: CONFIGURING CLIENT MACHINES
The final stage is to configure the browser on the client machine(s) you will use to access your
Oracle BI EE system via SSO. Note that users must be logged into the AD domain on the client
machine they should then be able to simply access the system via their browser with no
further authentication required.
Before continuing with this section:
Remember to enable kerberos encryption on the clients local security policy on

Windows 7 or Vista
Be sure to use a client machine that connects to the domain before to trying to login in
OBIEE
Configure the client for single sign on

Internet Explorer
Go to Tools --> Internet Options
Select the "Security" tab
Click on "Local Intranet" Icon. This will enable the "Sites" button.
Click "Sites" button. This will show a "Local Intranet" Popup.
Make sure the option "Include all local (intranet) sites not listed in other zones" option
selected. (Windows XP Only).
Click on "Advanced" Button. In the new popup window add the URL for the machine
hosting Weblogic.
Click OK to save your settings.
In the "Security" tab, Click "Custom Level" button.
In the "Security Settings" dialog, under "User Authentication" section, make sure
"Automatic logon only in Intranet zone" option is selected.
Click OK to save your settings.
Go to "Connections" tab ---> LAN Settings.
If you have a proxy server enabled, click on "Advanced" button. Make sure you add the
URL for the machine hosting Weblogic in the "Exceptions" box.
In the "Internet Options ---> Advanced" tab, make sure "Enable Integrated Windows
Authentication (requires restart)" option is checked. Click "OK". (If this option is not
selected previously, you need to close all browser instances for the setting to take effect).
Firefox
To configure a Firefox browser to use Windows Integrated Authentication, complete the

following steps:
Page 34
Start Firefox.
Enter about:config in the Location Bar.
Enter the filter string network.negotiate.
Set the preferences as shown below
Preference Name
Status
Type
Value
network.negotiate-auth.allow-proxies
default
boolean
true
network.negotiate-auth.delegation-uris
user set
string
http://,https://
network.negotiate-auth.gsslib
default
string
network.negotiate-auth.trusted-uris
user set
string
http://,https://
network.negotiate-auth.using-native-gsslib
default
boolean
true
<blank>
Additional settings for SSL with IE8/Windows 7
If your BI web application is protected by SSL and your client is using either Internet Explorer
8 or Windows 7, you may be affected by a compatibility issue between the Microsoft Extended
Protection for Authentication Security Update and the Java Virtual Machine shipped with
Oracle BI 11.1.1.3.0.
If you find that you can access the SSL-protected app from IE7 but not from clients using IE 8
or Windows 7, you can either roll back those client to IE7 or else follow the instructions in this
technote from Microsoft:
http://support.microsoft.com/?scid=kb%3Ben-us%3B968389&x=10&y=18
Specifically, the setting

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\SuppressExtendedProtection
must be present and set to a decimal value of 3 on clients using Windows 7/Internet Explorer 8
that are affected by this issue.
TROUBLESHOOTING THE CLIENT AND 401 ERRORS
Unfortunately, after the stage of testing your server can communicate with the KDC, theres no
point testing you can do until you get to the stage of actually pointing a client at the BI web app
and seeing what happens. If it works, youll be authenticated and logged in to the application
without having to sign in. If it doesnt your likely to see an error message saying Error 401:
Unauthorized. This means exactly what it says youre not authorised to access the web
application. The question is why if the SSO setup was all working, you should have just gone
straight in. Essentially, if you experience this error, but you have validated your keytab is good
Page 35
and the server can communicate with the KDC using kinit, then the issue lies in one of the steps
in between. The following are probable causes (N.B. specific troubleshooting steps are covered
in their respective sections):
1. The Weblogic Kerberos config file is incorrect so that although kinit verifies your machine can
authenticate with the AD server, Weblogic cannot. Recheck the settings in krb5login.conf,
and setDomainEnv.cmd (see section above entitled Configure Weblogic Login Module)
2. Your client is not correctly configured - have you added the Weblogic server URL (e.g. http://:
bieesvr1.xyz2.com:9704/analytics/) to the Intranet zone and set the Automatic logon in
Intranet zone setting? (see the section above entitled Configure the client for single signon)
3. You're not logged into the AD domain on the client - you need to login to Windows on the
client machine as an account in your AD domain (e.g. XYZCORP\jsmith)
4. Your user account is not a member of the group(s) you specified in the principal element(s) in
weblogic.xml. N.B. these groups must exist in the AD domain (see section above entitled
Configure BI Analytics App to request SPNEGO Authentication )
WEBLOGIC AUTHENTICATION LOGGING
It can be useful for troubleshooting to enable Weblogic Authentication logging on the Managed
Server (or Admin Server if using a Simple Install). You can accomplish this from the Weblogic
console in the server debug tab in the security tree.
1. Login to WLS console
2. Navigate to: WLS console --> expand 'Environment' --> click 'servers' --> click the
server name on the middle pane, e.g., BI_Server1'
3. Click the 'Debug' tag on the top, expand 'weblogic' under 'Debug Scopes and Attributes'
4. Expand 'security' -> expand 'atn' -> check the 'DebugSecurityAtn', and click 'enable'
button
OBIEE 11g: How To Check each Configuration Step

when Configuring Authentication and SSO with
Active Directory and Windows Native Authentication
(Doc ID 1390127.1)
Modified:18-Dec-2012
To
Bottom
Type:HOWTO
In this Document
Page 36
Goal
Fix
References
APPLIES TO:
Business Intelligence Server Enterprise Edition - Version 11.1.1.5.0 [1308] and later
Business Intelligence Suite Enterprise Edition - Version 11.1.1.5.0 [1308] and later
Information in this document applies to any platform.
GOAL
Windows Native Authentication with Weblogic is generic Weblogic functionality
rather than specific to OBIEE.
Document 1274953.1 is a technical note designed to bridge the gap between
generic Weblogic Windows Authentication and what is needed to perform Windows
Authentication for OBIEE. If you have issues arising from the generic set up, you
should raise a service request against Weblogic. If you can perform Windows
Authentication against a J2EE app running in Weblogic, but you cannot get one of the
OBIEE J2EE apps to work with this, then you should raise a service request against
OBIEE.
A simple test web app is attached to this note and is designed to help check this
configuration on the Admin Server in Weblogic.
This web app is not part of the supported product, but it is very useful.
If you cannot get access to the page protected by Kerberos in this web app, OBIEE
will not work.
FIX
Here are the steps to follow:
1. Deploy webapp.war in WebLogic AdminServer.
Access
For
the
page,
the
context
root
is
SPNEGOcheck.
example:
Page 37
http://adminserver.domain:adminserverport/SPNEGOcheck
This is a web application; therefore, it should deploy and work without any issues
with
default
configuration.
Each
page
will
check
step
in
the
SSO
setup
Please follow the above steps and attach screen shots of the test for each page of
the configuration to your service request.
Page 38
OBIEE 10g and 11g: Comparing Repository And

Catalog Security Models And Changes With Upgrade
(Doc ID 1389893.1)
Modified:11-Oct-2013
To
Bottom
Type:FAQ
In this Document
Purpose
Questions and Answers
What documentation describes the security model for the Repository (RPD) and Catalog
in OBIEE 10g?
What documentation describes the security model for the RPD and catalog in OBIEE
11g?
How are security settings enabled / controlled in OBIEE 10g and 11g?
What are the primary differences between the OBIEE 10g and 11g security models and
what happens during upgrade?
APPLIES TO:
Business Intelligence Suite Enterprise Edition - Version 10.1.3.2 to 11.1.1.7.1 [Release 10g to
11g]
***Checked for relevance on 24-Jun-2013***
PURPOSE
This document highlights the security features in Oracle Business Intelligence
Enterprise Edition (OBIEE) and compares and contrasts features found in OBIEE 10g
and 11g.
QUESTIONS AND ANSWERS
Page 39
What documentation describes the security model for the Repository (RPD) and Catalog in
OBIEE 10g?
OBIEE 10g security and repository access control are described in the Oracle Business
Intelligence Server Administration Guide.
Web Catalog security and access control is described in the Oracle Business Intelligence
Presentation Services Administration Guide.
What documentation describes the security model for the RPD and catalog in OBIEE 11g?
OBIEE 11g security is described primarily in two places:
Oracle Fusion Middleware Upgrade Guide for Oracle Business Intelligence 11g Release
1 (11.1.1)
Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise
Edition 11g Release 1 (11.1.1).
Main Oracle Business Intelligence Enterprise Edition Documentation Page (for versions not listed
above)
NOTE: Unlike OBIEE 10g, there are not separate documents for the BI Server and BI
Presentation Server. For OBIEE 11g, both the RPD and catalog security are described in the
Security Guide.
How are security settings enabled / controlled in OBIEE 10g and 11g?
In OBIEE 10g, security is controlled at the following points: permissions on the OBIEE
Presentation catalog, via the repository (users and passwords) and optionally via an
external LDAP, or external tables.
In OBIEE 11g, the security policy is split across the OBIEE presentation catalog,
repository and default 11g identity store (embedded WLS LDAP), or external LDAP
(i.e. OID or other if used).
Page 40
What are the primary differences between the OBIEE 10g and 11g security models and what
happens during upgrade?
Page 41
Security
Task/Object
OBIEE 10g
OBIEE 11g
What happens
during 10g
upgrade to 11g?
Define Users and

Groups in RPD file
using OBIEE Admin
Tool
Default
N/A. By default, users

are defined in
embedded WLS LDAP
via FMW EM Console,
or alternatively, in
external LDAP.
By default, existing
users and groups
migrated to
embedded WLS LDAP.
Existing groups are
automatically
mapped to an
Application role.
Defining security
policies
Policies in the catalog

and repository can be
defined to reference
groups within a
directory
Policies are defined in

terms of application
roles, which map to
users and groups in a
directory.
10g catalog groups

are automatically
migrated in the
upgraded catalog and
assigned the same
privileges, access,
and membership.
"Administrator" user
Unique user with full

administrative
privileges
No single user named

for full administrative
privileges.
Administration can be
performed by any
user who is member
of BIAdministrators
group.
"Administrator" user
automatically added
as member of
"BIAdministrators"
group in embedded
WLS LDAP and
granted Administrator
role. The user
specified during
OBIEE 11g installation
(i.e. "weblogic",
"biadmin") is also a
member of the
BIAdministrators
group.
Repository encryption Available on sensitive Entire RPD encrypted

elements only - i.e.
via a password.
user passwords,
connection pool
passwords, etc.
Prompted to set a
repository password
while running the
upgrade assistant. Do
not lose this
password as there
is no feature to
recover a lost
password.
External
Authentication and
OBIEE Initialization
(Init) Blocks
Upgraded RPD will

continue to point to
10g LDAP or external
tables. Initblocks may
need to be modified
to ensure that
deprecated, or Page 42
reserved word,
variable names are
Init blocks are

required for external
LDAP or external
table authentication.
Init blocks not

required for WLS
embedded LDAP. Init
blocks are required
for external LDAP or
external table
authentication.
Related
Products
Page 43
How To Start / Stop An OBIEE 11g (11.1.1.x) Unix /

Linux Environment Via Command-line (Doc ID
1240964.1)
PURPOSE
This document will describe one method to start and stop an Oracle Business
Intelligence Enterprise Edition (OBIEE) 11g (11.1.1.x) environment on the
Linux/Unix platform via the command-line. This document supplements the
existing documentation (see:
Oracle Fusion Middleware System Administrator's Guide for Oracle Business
Intelligence Enterprise Edition 11g Release 1 (11.1.1), Chapter 4 Starting and
Stopping Oracle Business Intelligence). This method is not intended to be allinclusive. In other words, there may be other methods to achieve the same
result.
For example:
Another method would be to use the WebLogic Scripting (WLST)
Getting Started Using the Oracle WebLogic Scripting Tool (WLST)
This example assumes node manager is started.
APPHOST1> cd ORACLE_COMMON_HOME/common/bin
APPHOST1> ./wlst.sh
In the WLST shell, execute the following command:
wls:/offline>nmConnect('Admin_User','Admin_Pasword',
'APPHOST1','9556','domain_name','Domain_Home')
wls:/nm/domain_name> nmStart('AdminServer')
For example:
wls:/offline>nmConnect('weblogic', 'my_password', 'APPHOST1' , '9556',
'bifoundation_domain' ,'/u01/app/oracle/admin/bifoundation_domain/aser
ver/
bifoundation_domain')
wls:/nm/bifoundation_domain> nmStart('AdminServer')
Page 44
SCOPE
This document is intended for anyone who administers an OBIEE 11g
(11.1.1.x) environment and who may want to use a stop/start procedure that
does not rely on a web-based interface.
DETAILS
Starting the environment via command-line:
The high-level manual steps are:
Set your environment
Start WLS Admin Server in the background
Start WLS NodeManager
Start WLS Managed Server
Start Oracle Instance (system components managed by OPMN)
Note: There is no specific dependency in the start order since managed servers can
run in independent mode; however, ideally one would start the nodemanager or
AdminServer first if relying on users or system users in the default Weblogic ldap
authenticator.
Note: init.d boot time startup scripts are not covered here. These examples are
from Oracle Enterprise Linux 5
1. Set your environment (manually or via script).

Note: You may use the standard environment scripts (commEnv.sh,
setDomainEnv.sh, etc) ; however, these are the minimal variables necessary
for these examples
MW_HOME=/[path]/[obiee11g_middleware_home]; export MW_HOME

DOMAIN_HOME=/$MW_HOME/user_projects/domains/bifoundation_domain;
export DOMAIN_HOME
WL_HOME=$MW_HOME/wlserver_10.3; export WL_HOME
ORACLE_HOME=$MW_HOME/Oracle_BI1; export ORACLE_HOME
Page 45
ORACLE_INSTANCE=$MW_HOME/instances/instance1; export
ORACLE_INSTANCE
#
# You may also want to set your PATH environment to avoid having
to use
# paths in the commands
#
PATH=$WL_HOME/server/bin:$DOMAIN_HOME/bin:$ORACLE_INSTANCE/bin:
$ORACLE_HOME/OPatch:$PATH; export PATH
2. Start the WebLogic (WLS) Administration Server in the background

Note: For username and password, you can:
o
pass username/pwd in the command line,
use the boot.properties file for an encrypted username/password
set as environment variables - WLS_USER / WLS_PW,
or pass WLS_USER /WLS_PW in the start scripts.

Please see the Oracle WebLogic documentation to determine what
meets your need.
In these examples, you can name the logs whatever you desire.
Execute:
nohup sh $DOMAIN_HOME/bin/startWebLogic.sh
-Dweblogic.management.username=weblogic
-Dweblogic.management.password=[_your_password_] > wls_start.log
&
Next, tail the log to determine if the server started completely.

execute:
tail -f [log name]
wait until you see:
Page 46
<WebLogicServer> <BEA-000360> <Server started in RUNNING mode>

there should be no further lines after this. If successful, proceed to step 3. If
errors, correct them and restart.
Note: This takes some time. The terms "takes some time", "starts fast",
"starts slow", "takes xx amount of time" are all relative terms depending
upon resources in your environment.
3. Start Node Manager

Note: In this example, the username and password are embedded in script
via WLS_USER and WLS_PW. If you need another method or a more secure
method, like a boot.properties file, then please see:
Oracle Fusion Middleware Managing Server Startup and Shutdown for Oracle
WebLogic Server 11g Release 1 (10.3.1)
Execute:
nohup sh $WL_HOME/server/bin/startNodeManager.sh >
startNodeManager.log &

tail -f [log name]
Look for <INFO> <Secure socket listener started on port 9556>

Note: starts fast
4. Start the OBI Managed Server (bi_server1 -- default - java bits)

Note: This can be started via Fusion Middleware Control or WebLogic
Administration Console as well. For this example, modify WLS_USER and
WLS_PW in the startManagedWebLogic.sh script to the values chosen during
Page 47
installation. You can set ADMIN_URL in the environment, in the script or pass
on the command-line. In this example, it is passed on the command-line.
Execute:
nohup sh $DOMAIN_HOME/bin/startManagedWebLogic.sh bi_server1
http://server.domain:7001 > start_bi_server1.log &

tail -f [log name]
look for "Server started in RUNNING mode:

<Mon D, YYYY H:MM:SS PM EDT> <Notice> <WebLogicServer> <BEA000330> <Started WebLogic Managed Server "wls_ods1" for domain
"IDMDomain" running in Production Mode>
<Mon D, YYYY H:MM:SS PM EDT> <Notice> <WebLogicServer> <BEA000365> <Server state changed to RUNNING>
<Mon D, YYYY H:MM:SS PM EDT> <Notice> <WebLogicServer> <BEA000360> <Server started in RUNNING mode
Note: takes about 30 seconds depending upon your environment. At this

point, you could start any other servers that you have configured in the same
manner. For example, WLS_DISCO, WLS_PORTAL.
5. Start the OBIEE System Components ( BI Servers -- c++ bits)

$ORACLE_INSTANCE/bin/opmnctl startall
Next, execute: opmnctl status or opmnctl status -l (lower case L) to

ensure the processes are started properly/completely.
The output will look similar to this:
Page 48
$ORACLE_INSTANCE/bin/opmnctl status -l
Processes in Instance: instance1
---------------------------------+--------------------+--------+----------+------------+----------+-----------+-----ias-component | process-type | pid | status | uid | memused |
uptime | ports
---------------------------------+--------------------+--------+----------+------------+----------+-----------+-----coreapplication_obiccs1 | OracleBIClusterCo~ | 11741 | Alive |
70916792 | 55188 | 0:01:01 | N/A
coreapplication_obisch1 | OracleBIScheduler~ | 11740 | Alive |
70916789 | 122388 | 0:01:01 | N/A
coreapplication_obijh1 | OracleBIJavaHostC~ | 11739 | Alive |
70916790 | 1186088 | 0:01:01 | javahost:9810
coreapplication_obips1 | OracleBIPresentat~ | 11742 | Alive |
70916791 | 261576 | 0:01:01 | N/A
coreapplication_obis1 | OracleBIServerCom~ | 11738 | Alive |
70916788 | 150904 | 0:01:01 | N/A
Stopping the enviroment cleanly via the command-line:

Reverse the steps above with the following commands:
Note: You can look inside the respective scripts or the documentation for alternative
or more secure methods. You can also kill the processes, but you may risk
corruption.
1. Stop the Oracle Instance
$ORACLE_INSTANCE/bin/opmnctl stopall
2. Stop the OBIEE Managed Server (bi_server1)
$DOMAIN_HOME/bin/stopManagedWebLogic.sh bi_server1
t3://host.domain:7001 username password
If running other managed servers, then stop them in the same manner.
3. Stop the the WebLogic (WLS) Administration Server
$DOMAIN_HOME/bin/stopWebLogic.sh username password
t3://host.domain:7001
At this point, since the node manager was started in another shell in the
background, then you will need to kill the JVM process that the node manager is
running under. There should be no risk of corruption at this point since everything is
Page 49
already shutdown. If you had started the node manager in a shell (and not in the
background), then you could just close the shell.
You can use the command ps -ef | grep [os user] to check for running
processes under the specified user and then kill the JVM process with kill -9
[PID] (where PID is the process id of the running JVM)
How To Apply The OBIEE 11.1.1.6.2 Roll-Up

Patches (Doc ID 1459232.1)
Modified:17-Apr-2013
To
Bottom
Type:HOWTO
In this Document
Goal
Solution
References
APPLIES TO:
Business Intelligence Suite Enterprise Edition - Version 11.1.1.6.2 to
11.1.1.6.2 [Release 11g]
Exalytics In-Memory Machine X2-4 - Version Not Applicable to Not Applicable
[Release N/A]
GOAL
The purpose of this document is showing how to apply the OBIEE 11.1.1.6.2
patches and the issues you may find.
It is recommended that you read the readme file for each patch to make sure
you do not miss any step.
Page 50
Note: This note applies only to the 11.1.1.6.2 patch, not the 11.1.1.6.2bp1
patch. For instructions on applying the 11.1.1.6.2 BP1 patchset,
refer to the readme for patch 14223977 (the first patch of the
11.1.1.6.2 BP1 patchset)
This patch is certified for Exalytics v1.0.0.1.0 (PS1).
Moving from Oracle BI EE 11.1.1.6.0 or 11.1.1.6.1 to Oracle BI EE 11.1.1.6.2

is a two stage process:
Stage 1: Apply the Oracle BI EE 11.1.1.6.2 patches to the existing Oracle BI
EE 11.1.1.6.0 or 11.1.1.6.1 system.
Stage 2: Apply a JDeveloper patch to the newly patched Oracle BI EE system.
The OBIEE 11.1.1.6.2 patches are the following. We will refer to these
patches as "OBIEE 11.1.1.6.2":
Patch 13932572 - 11.1.1.6.2 Oracle Business Intelligence Installer
Patch 13887566 - 11.1.1.6.2 Oracle Real Time Decisions
Patch 13926409 - 11.1.1.6.2 Oracle Business Intelligence Publisher
Patch 13892934 - 11.1.1.6.2 Oracle Business Intelligence ADF
Components
Patch 13916045 - 11.1.1.6.2 Enterprise Performance Management
Components Installed from BI Installer 11.1.1.6.x
Patch 13884769 - 11.1.1.6.2 Oracle Business Intelligence
Patch 13794002 - 11.1.1.6.2 Oracle Business Intelligence Platform Client
Installer
The JDeveloper patch is:

Patch 13952743 - RUP3 MLR4.3 CUMULATIVE: BASED ON
JDEVADF_11.1.1.6.2_GENERIC_120329.1447.6268.1 (Patch)
SOLUTION
These patches can be applied in any order. Please, take into account the
following:
Page 51
Although the readme files of the patches may seem similar, some patches
have specific instructions in the readme file. Please, read each readme file
carefully to make sure you do not miss any steps. Following are listed the
specific steps for those patches that have such extra steps (not all of the 7
OBIEE 11.1.1.6.2 patches have specific steps):
Tip: Stage 2: Apply a JDeveloper patch to the Oracle BI EE 11.1.1.6.2 system
(listed in all readme files)
When applying this patch in the 'oracle_common' Oracle Home, ensure you
set your environment correctly.
In the readme, it states to set the ORACLE_HOME environment variable to
the ..oracle_common directory and then set the JAVA_HOME and PATH based
on the relative directory of the oracle_comon ORACLE_HOME. If you do this,
then Opatch may fail because the jdk and opatch do not exist under
oracle_common.
We recommend, the following:
Clean command shell:
* On Linux, set the environment variables by typing the following:
your command may vary depeding upon the shell you are using (i.e.
setenv, export, etc.)
setenv ORACLE_HOME [Middlewarehome/Oracle_BI1] - enter your path
value
setenv PATH $ORACLE_HOME/bin:$PATH
setenv JAVA_HOME $ORACLE_HOME/jdk
setenv PATH $JAVA_HOME/bin:$PATH
setenv PATH $ORACLE_HOME/OPatch:$PATH
** setenv ORACLE_HOME [Middlewarehome/oracle_common] - enter your
path value
* On Windows, if the Oracle BI Home directory is C:\mwhome\Oracle_BI1, set
the environment variables by typing the following:
set ORACLE_HOME= [C:\mwhome\Oracle_BI1] - enter your path value
set PATH=%ORACLE_HOME%\bin;%PATH%
set JAVA_HOME=%ORACLE_HOME%\jdk
set PATH=%JAVA_HOME%\bin;%PATH%
set PATH=%ORACLE_HOME%\OPatch;%PATH%
** set ORACLE_HOME= [C:\mwhome\oracle_common] - enter your path
value
Page 52
1) From README.txt for patch 13892934:

Patch Installation specific to patch 13892934:
-----------------------------------------------------------------------------------------------------------------------------1. Stop opmn services, Weblogic managed servers and Admin server.
2. Apply patch using Opatch
3. Start all Weblogic managed servers and Admin server
To enable the Extender feature of BI Composer, in addition to this patch,
please download and install Patch Request 14768226 from ARU.
Clarification on the above sentence: "Patch Request 14768226 from
ARU" is the same as patch 13952743 (Jdeveloper patch) listed in the readme
file of patch 13884769. So you do not have to worry about that sentence.
Patch 13952743 is applied after all OBIEE patches have been applied (Stage
2).

Patch Installation instruction specific to 13932572:
-----------------------------------------------------------------------------------------------------------------------------1. Unzip BIINST_11_1_1_6_2_GENERIC_120405_1901_13932572.zip to
<Oracle_BI>, where
<Oracle_BI> is home folder of Oracle BI, for example, if the bishiphome
11.1.1.6.0 is installed to /opt/oracle/mw_home, <Oracle_BI>
should be /opt/oracle/mw_home/Oracle_BI1
2. Navigate to <Oracle_BI>
3. Execute opatch to apply patch:
./opatch apply 13932572 -invPtrLoc <oraInst.loc file> [-jre <JAVA_HOME>]
3) From README.txt for patch13887566:

Patch Installation Instructions specific to 12887566:
------------------------------------------------------------------------------------------------------------------------------
Page 53
1. Unzip RTD_11_1_1_6_2_GENERIC_120327_1635_13887566.zip to
<Oracle_BI>, where
<Oracle_BI> is home folder of Oracle BI, for example, if the bishiphome
11.1.1.6.0 is installed to /opt/oracle/mw_home, <Oracle_BI>
should be /opt/oracle/mw_home/Oracle_BI1
2. Navigate to <Oracle_BI>
3. Execute opatch to apply patch:
./opatch apply 13887566 -invPtrLoc <oraInst.loc file> [-jre <JAVA_HOME>]
4. Login in to WebLogic admin console
5. On left panel, click Lock & Edit button
6. Click link Deployments under Domain Structure
7. On Deployments list of right panel, check OracleRTD (11.1.1)
8. Click Update button
9. On Update Application Assistant page, click Finish button
10. On Deployments list of right panel, check oracle.rtd.client(1.0,11.1.1)
13. On Deployments list, check oracle.rtd.client.webapp(1.0,11.1.1)
16. On left panel, click Activate Changes button
17. Restart WebLogic server to which RTD is deployed.

Patch Installation Instructions specific to Patch 13884765:
-----------------------------------------------------------------------------------------------------------------------------1. Backup xmlpserver.ear
3. Remove jsp_servlet directory
- Login to BI host
- cd
DOMAIN_HOME/servers/bi_server1/tmp/_WL_user/bipublisher_11.1.1/to5gma
(actual path may vary)
- rm jsp_servlet
4. Update bipublisher application
- Login to BI Admin console
- Stop bipublisher
- Select "Lock & Edit"
- Select bipublisher and "Update"
- Leave all options the same and proceed to Finish
Page 54
- Select "Activate Changes"

- Start bipublisher
5. Copy the BIPublisherDesktop.exe from the
clients/bipublisher/repository/Tools location to the
bifoundation_domain/config/bipublisher/repository/Tools location

Patch Installation instructions specific to patch 13884769:
-----------------------------------------------------------------------------------------------------------------------------1. Stop all BI Services, including BI Server, BI Administration Tool, BI
Javahost, BI Scheduler
2. Backup ORACLE_HOME\bifoundation\server
3. Backup
ORACLE_INSTANCE\bifoundation\OracleBIServerComponent\coreapplication_o
bis1\repository
4. Follow manual script steps below to resolve bug 13840200: VERSION OF
CATMAN SHOWS 11.1.1.6.0 after applying 11.1.1.6.2 opatch
6. Start all BI Services
7. Determine the AdminService application's .ear file location:
a. Login to Weblogic Console as the Administrator user
b. Under Deployments, click on the adminservice(11.1.1) name link
c. Note the path of the AdminService.ear file
d. Return to the Summary of Deployments page
8. Stop the AdminService application
9. Delete the AdminService application
10. Install the AdminService application using the same .ear file as noted
step 7 above.
**IMPORTANT**
When installing, you must change the name from it's default value of
AdminService to AdminService_11.1.1. Without the
correct version number appended, the web service will not work properly.
Defaults may be used for all the other settings
11. After installation is complete, apply the changes and restart the
AdminService.
Tips:
Ensure that when you deploy the AdminService application that you
deploy it to the bi_cluster target only. Do not deploy it to the
AdminServer or you may see an error, when starting, like:
Page 55
java.io.FileNotFoundException: Could not open ServletContext resource

[/WEB-INF/AdminServiceConfig.xml]
Clarification on the cleancat script: You may want to first navigate

to the locations listed in the script to see if the files exist in your
environment (they may not). If they do not exist, then you may scip
running the patch. Additionally, the script may fail with an error. If that
happens, go to the directories the script is trying to delete and delete
them manually (if they exist).
Scripts to resolve bug 13840200: VERSION OF CATMAN SHOWS

11.1.1.6.0 after applying 11.1.1.6.2 opatch
-----------------------------------------------------------------------------------------------------------------------------For Linux: cleancat.sh
================================
#!/bin/sh
# Cleanup catman binary cache
echo "Cleaning up Catalog Manager binary cache"
rm -rf
$ORACLE_HOME/bifoundation/web/catalogmanager/configuration/org*
echo "Done"
For Windows: cleancat.cmd
================================
echo of
echo Cleaning up Catalog Manager binary cache
IF EXIST
%ORACLE_HOME
%\bifoundation\web\catalogmanager\configuration\org.eclipse.osgi
(
rmdir /S /Q
%ORACLE_HOME
%\bifoundation\web\catalogmanager\configuration\org.eclipse.osgi
)
IF EXIST
%ORACLE_HOME
%\bifoundation\web\catalogmanager\configuration\org.eclipse.equino
x.app (
rmdir /S /Q
%ORACLE_HOME
Page 56
%\bifoundation\web\catalogmanager\configuration\org.eclipse.equino
x.app
)
echo Done
Join our Oracle Business Intelligence Enterprise Edition (OBIEE) Community

to discuss issues with other Experts and learn more from your peers.
For more information on Oracle Business Intelligence Enterprise Edition
(OBIEE) Product documentation, Announcements, Hot Topics, Community and
Training details. Take a look at the Oracle Business Intelligence Enterprise
Edition (OBIEE) Product Information Center (PIC) (Doc ID 1267009.1).
Page 57

Master Note For Performance Issues in OBIEE

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Master Note For Performance Issues in OBIEE

Uploaded by

Copyright:

Available Formats

Master Note for Performance Issues in OBIEE (Doc ID 1293374.

3.Click the + sign to bring the Add Counters display as below.

4. From the Performance Object dropdown box, choose Process.

Repeat the above steps for NQServer also.

How To Troubleshoot Performance issues in OBIEE 10g? (Doc ID

hidden sections and guided navigations that always run.

Connection Pool and Nqsconfig.ini

How To Monitor Oracle Business Intelligence Enterprise Edition (OBIEE)

OBIEE 11g: Master Note for Security/Access Control Issues (Doc ID

To move WebLogic LDAP Users and groups, please see:

What Authentication Mechanisms are supported in OBIEE 11g (Doc ID

Authentication Mechanisms Currently Supported in OBIEE 11.1.1.3.0

FMW Security Authentication Mechanism

OID (OID Authenticator)

OVD (OVD Authenticator)

OpenLDAP (OpenLDAP Authenticator)

Sun Java System Directory Server version 6.3 (iPlanet Authenticator)

eDirectory 8.8. (NovellAuthenticator)

Native Weblogic LDAP (Default Authenticator)

Init Block Security Authentication Mechanism

Users in LDAP, group membership in database

64bit platforms (requires PATCH:10395783">10395783)

Authentication That is not Supported in OBIEE 11.1.1.3.0

SiteMinder 6 or OAM as an Authenticator

Group membership in a database

Use of Asserters and Authenticators combined with Init Block Authentication

Delivers Limitations when using EBS authentication

Hyperion CSS integration

Configuring Oracle Business Intelligence Enterprise Edition 11g to work

An Oracle White Paper

Create an Agent on the SiteMinder Policy Server

Required setup on HTTP Server.......................5

Web Agent setup on HTTP Server.....................6

Required setup on SiteMinder Policy Server....6

Configuration Required in the RPD..................7

Configure Oracle BI for SSO...........................12

Configuration on WebLogic to protect direct access

3.7.1 Protect direct http access to OBIPS............15

One approach involves using a SiteMinder Asserter (Application Agent) provided by

Access to RTD is not possible using this approach.

Oracle Business Intelligence 11.1.1.3 must be installed and running

3. On Agent Configuration Object Properties

WebLogicPort [WebLogic managed Server port default is 9704]

8. Restart your web server

9. You should see the BI login screen.

Setting up the Web Agent on the HTTP Server

2. Restart your web server .

4. Navigate to http://[fully-qualified hostname for webserver:port]/analytics .

5. Create another Initialization Block called authorization as shown:

Please refer to the documentation in Oracle Fusion Middleware Security

Configuring Oracle BI for SSO

<SchemaKeyVariable source="httpHeader" nameInSource="SM_USER" forceValue="SSOSiteminder"/>

<RequestVariable source="serverVariable" type="auth" nameInSource="REMOTE_USER"

<RequestVariable source="serverVariable soap" type="informational"

IMPORTANT NOTE: THE AUTHENTICATIONSCHEMAS .XML FILE IS AN INTERNAL CONFIGURATION

[web server IP Address] * [WebLogic Admin Server Port] allow

Protecting direct HTTP access to OBIPS

An example of the configuration required in your instanceconfig.xml file is shown

OBIEE 11g: Configuring Authentication and SSO with

An Oracle White Paper

Testing your changes................................................12

Define a Service Principal Name for the service......16