Authentication failed issue in OBIEE11G

ISSUE:
Starting Presentation Services fail with the error:

[OBIPS] [ERROR:1] [] [saw.security.odbcuserpopulationimpl.

getbisystemconnection]

 [ecid: ] [tid: ] Authentication Failure.
Odbc driver returned an error (SQLDriverConnectW).
State: 08004.  Code: 10018.  [NQODBC] [SQL_STATE: 08004] [nQSError: 10018]

 Access for the requested connection is refused.
[nQSError: 43113] Message returned from OBIS.
[nQSError: 43126] Authentication failed: invalid user/password. (08004)[[

Also connecting to the metadata repository (RPD) in online mode fails with similar error.
Looking through the BI server log, nqserver.log, you may find an error message similar to the following:

[OracleBIServerComponent] [ERROR:1] [] [] [ecid: 

0001J1LfUetFCC3LVml3ic0000pp000000] [tid: 1] 
[13026] Error in getting roles from BI Security Service:  
'Error Message From BI Security Service: [nQSError: 46164]

 HTTP Server returned 404 (Not Found) for URL .' ^M

RESOLUTION:

• Connect to WebLogic Server (WLS) Console -> Deployments. Ensure that all deployed components are in 'Active' state.
  
• If any of the components is in 'Prepared' state, select that application and then click on "start servicing all requests"
  
• Restart BI Server and Presentation Services
  

In some cases, the following additional step might be needed to resolve the issue.

• Access the Enterprise Manager Fusion Middleware control: http://<host.domain>:port/em
  
• Navigate to Business Intelligence -> coreapplication
  
• 'Capacity Management' tab -> 'Scalability' sub-tab
  
• Click on 'Lock and Edit Configuration' button
  
• Enter the IP address in the 'Listen Address' field
  
• Click on 'Activate Changes' followed by 'Release Configuration' buttons
• Restart BI Server and Presentation Services
  

Also check these My Oracle Support (MOS) documents for more clues and information.
1387283.1 Authentication failed: invalid user/password
1251364.1 Error: "[nQSError: 10018] Access .. Refused. [nQSError: 43126] Authentication Failed .." when Installing OBIEE 11g
1410233.1.1 How To Bind Components / Ports To A Specific IP Address On Multiple Network Interface (NIC) Machines

Security in OBIEE 11g

Key Security Changes for Release 11g:

Some of the key changes in OBIEE security in 11g are

1.   User and Groups are no longer defined in RPD

2.     User Profile is derived from LDAP server

3.     RPD is protected by RPD Password

4.     RPD is encrypted

5.     Introduction of Applications Roles

6.     User Administrator and Group Administrators not hard-coded in RPD

7.     Administrator user not used for Inter-Process Communication (component to component)

8.     Credential Store storage mechanism

OBIEE 11g provides a scalable default security mechanism available for immediate implementation after installation. The default security mechanism provides controls to manage users and groups, permission grants and credential store. Following are the security controls that are available after the installation.

1.     An embedded LDAP server in WebLogic available to store users and groups known as “Identity Store”

2.     A file to store the permission grants information known as the “Policy Store”

3.     A file to store user and system credentials for inter process communication known as the “Credential Store”.

Let’s look at the differences based on some of the common security concepts, Authentication and Authorization.

Authentication:

In 10g default Authentication is RPD based. In 11g, the user and group definitions are moved to a LDAP server embedded with WebLogic server known as the “Identity Store”. Users and Groups can no longer be created in the RPD. Creation of Users and Groups and the association of members to groups are managed in the WebLogic administration console. WebLogic provides the default authentication provider for OBIEE 11g. Users are authenticated by the WebLogic server based on the credentials in the embedded WebLogic LDAP server. The embedded LDAP server is default Authentication provider for WebLogic and hence OBIEE.

OBIEE 11g gets user, groups and other user attributes from the WebLogic LDAP server. This also eliminates the limitation we had with previous versions of OBIEE where only one Group for a user can be read directly from an LDAP server.

The following screenshot shows the default Authentication provider.

WebLogic supports integration with commercial identity management products (also known as Authentication providers). The screenshot below lists some of the Authentication Providers. OBIEE 11g certification matrix provides a list of all supported Authentication Providers.

At this time, the following Authentication providers are supported by OBIEE 11g.

·       Active Directory 2003, 2008

·       SiteMinder 6

·       OpenLDAP 2.2.x

·       Sun Java System Directory Server version 6.3

·       eDirectory 8.8

The following screenshot shows the users created in the WebLogic administration console. By default users and groups are created using Oracle WebLogic Server Administration Console.  The following screenshot shows the groups created using WebLogic administration console
 


The following screenshot shows the groups created using WebLogic administration console.

The following screenshot shows the members associated to the groups in the WebLogic administration console.

 

The users and groups created in the WebLogic administration console can be viewed in the OBIEE administration console. Before looking at the users in the RPD, since we are discussing about the changes in Authentication, I would like to cover the RPD password. In OBIEE 11g, every RPD is protected by an RPD password. Remember, there are no “Administrator” user and “Administrators” group in OBIEE 11g. Look at the RPD creation screenshot below. The RPD creation utility, requests a password to protect the RPD. The same password is also used to encrypt the password. In 10g only a few critical elements in the RPD were encrypted. In 11g, the entire RPD is encrypted.

Let’s take a look at the users that were created in the WebLogic admin console in OBIEE administration console. Note that the menu item “Security” in 10g got changed to “Identity” in 11g.

In the screenshot below, we see that the users created using the WebLogic administration console and stored in the WebLogic embedded LDAP server is being displayed by the OBIEE administration console.

Note that there is no option to create a user or a group in the menu from the screenshot below. The OBIEE administration tool only displays users defined in the WebLogic embedded LDAP server. There is a new menu item “Application Roles”. I will cover this when discussing the changes in Authorization.

Even though the underlying embedded WebLogic identity store is a LDAP server, OBIEE server does not use the “Authentication” initialization block for the default LDAP server embedded within the WebLogic server. The default WebLogic authenticator is a replacement for the OBIEE authentication for users defined in the RPD in 10g. This gives us two options to integrate an external LDAP server with OBIEE for authentication. The external LDAP server can be integrated with WebLogic server as an additional authentication provider or by integrating the LDAP server with OBIEE like in 10g by registering the LDAP server in the RPD and creating an “Authentication” initialization block based on the registered LDAP server. The recommended approach going forward is to integrate all authentication providers at the WebLogic level.

In my next blog entry I will discuss about the changes to “Authorization” in OBIEE 11g, the applications roles, policy store and the credential store.

Authorization:

Authorization in 10g was achieved using a combination of Users, Groups and association of privileges and object permissions to users and Groups. Two keys changes to Authorization in OBIEE 11g are:

1. Application Roles
2. Policies / Permission Groups

Application Roles are introduced in OBIEE 11g. An application role is specific to the application. They can be mapped to other application roles defined in the same application scope and also to enterprise users or groups, and they are used in authorization decisions. Application roles in 11g take the place of Groups in 10g within OBIEE application. In OBIEE 10g, any changes to corporate LDAP groups require a corresponding change to Groups and their permission assignment. In OBIEE 11g, Application roles provide insulation between permission definitions and corporate LDAP Groups. Permissions are defined at Application Role level and changes to LDAP groups just require a reassignment of the Group to the Application Roles.

Permissions and privileges are assigned to Application Roles and users in OBIEE 11g compared to Groups and Users in 10g. The diagram below shows the relationship between users, groups and application roles. Note that the Groups shown in the diagram refer to LDAP Groups (WebLogic Groups by default) and not OBIEE application Groups.

The following screenshot compares the permission windows from Admin tool in 10g vs 11g. Note that the Groups in the OBIEE 10g are replaced with Application Roles in OBIEE 11g. The same is applicable to OBIEE web catalog objects.

  

The default Application Roles available after OBIEE 11g installation are BIAdministrator, BISystem, BIConsumer and BIAuthor.

Application policies are the authorization policies that an application relies upon for controlling access to its resources. An Application Role is defined by the Application Policy. The following screenshot shows the policies defined for BIAdministrator and BISystem Roles.

Note that the permission for impersonation is granted to BISystem Role. In OBIEE 10g, the permission to manage repositories and Impersonation were assigned to “Administrators” group with no control to separate these permissions in the Administrators group. Hence user “Administrator” also had the permission to impersonate. In OBI11g, BIAdministrator does not have the permission to impersonate. This gives more flexibility to have multiple users perform different administrative functions.

Application Roles, Policies, association of Policies to application roles and association of users and groups to application roles are managed using Fusion Middleware Enterprise Manager (FMW EM). They reside in the policy store, identified by the system-jazn-data.xml file. The screenshots below show where they are created and managed in FMW EM.

The following screenshot shows the assignment of WebLogic Groups to Application Roles.

The following screenshot shows the assignment of Permissions to Application Roles (Application Policies).

Note: Object level permission association to Applications Roles resides in the RPD for repository objects. Permissions and Privilege for web catalog objects resides in the OBIEE Web Catalog. Wherever Groups were used in the web catalog and RPD has been replaced with Application roles in OBIEE 11g.

Following are the tools used in OBIEE 11g Security Administration:

·       Users and Groups are managed in Oracle WebLogic Administration console (by default). If WebLogic is integrated with other LDAP products, then Users and Groups needs to managed using the interface provide by the respective LDAP vendor – New in OBIEE 11g

·       Application Roles and Application Policies are managed in Oracle Enterprise Manager - Fusion Middleware Control – New in OBIEE 11g

·       Repository object permissions are managed in OBIEE Administration tool – Same as 10g but the assignment is to Application Roles instead of Groups

·       Presentation Services Catalog Permissions and Privileges are managed in OBI Application administration page - Same as 10g but the assignment is to Application Roles instead of Groups

Credential Store: Credential Store is a single consolidated service provider to store and manage the application credentials securely. The credential store contains credentials that either user supplied or system generated. Credential store in OBIEE 10g is file based and is managed using cryptotools utility. In 11g, Credential store can be managed directly from the FMW Enterprise Manager and is stored in cwallet.sso file. By default, the Credential Store stores password for deployed RPDs, BI Publisher data sources and BISystem user. In addition, Credential store can be LDAP based but only Oracle Internet Directory is supported right now.

As you can see OBIEE security is integrated with Oracle Fusion Middleware security architecture. This provides a common security framework for all components of Business Intelligence and Fusion Middleware applications.

OBIEE 11g log files path

In this post, we are going to see where the log files in OBIEE 11g reside.
In OBIEE 10g, we can check the different log files in the installation directory. In OBIEE 11g, we have got Enterprise Manager Console, where we can check log files but we can still see these files in OBIEE install directory.

• Enterprise Manager Console

Log on to EM Console (http://localhost:7001/em) . Once you logged on, in the left pane navigate to Farm_bifoundation_domain –> Business Intelligence–>coreapplications–>Diagnostics–>Log Messages
Here you can see the Most Recent Errors and Most Recent Warnings. After warning messages,  you can also see all the log files grouped by categories using Log Viewer.
Available files:
• Presentation Services Log
• Server Log
• Scheduler Log
• JavaHost Log
• Cluster Controller Log
• Action Services Log
• Security Services Log
• Administrator Services Log

• Manually open log files from your install directory

In this section will see these entire available log file and their paths in the hard disc. The log files for OBIEE components are found under /instances/instance1/diagnostics/logs (eg: C:\OBI\instances\instance2\diagnostics\logs)
These are the different type of log files:
Presentation Server log files
/instances/instance1/diagnostics/logs/OracleBIPresentationServicesComponent/coreapplication_obips1
Files: sawlog0.log, webcatupgrade0.log
BI Server log files
/instances/instance1/diagnostics/logs/OracleBIServerComponent/coreapplication_obis1
Files: nqquery.log, nqserver.log, servername_NQSAdminTool.log, servername_nQUDMLExec.log, servername_obieerpdmigrateutil.log
Scheduler log
/instances/instance1/diagnostics/logsOracleBISchedulerComponent/coreapplication_obisch1
Files: nqscheduler.log
Cluster Controller log
/instances/instance1/diagnostics/logs/OracleBIClusterControllerComponent\coreapplication_obiccs1
Files: nqcluster.log
ODBC log
/instances/instance1/diagnostics/logs/OracleBIODBCComponent/coreapplication_obips1
OPMN log
/instances/instance1/diagnostics/logs/OPMN/opmn
Files: debug.log, logquery~NUMBER.log, opmn.log, opmn.out, service.log
Installation logs
/logs

Use of Log Viewer: You can search for and view the log entries for Oracle Business Intelligence components using Fusion Middleware Control Log Viewer. The log files can be searched for log messages, and you can apply filters that can, for example, target a certain date range, user, user transaction, or level of message (error, warning, notification, and so on). You can also view log files in their entirety from the Fusion Middleware Control Log Viewer

Problems encountered while installing OBIEE after unistalling the previous version

ISSUE 1 :

On running the Oracle XE Database installer, I hit this problem:

"OracleXEService should not be installed already"

[...]
Checking for Oracle XE Service instance…:
Expected result : OracleXEService should not be installed already.
Actual result: OracleServiceXE found on system.
Check complete: The overall result of this check is failed.

This error can be overcome by cleaning the registry properly after uninstalling.Follow this link for cleaning the registry:
http://pagelock.blogspot.in/2012/07/how-to-clear-registry-and-do-clean.html

ISSUE 2 :

The below error comes when trying to run the rcu.bat file

  

Solution: Copy the rcu setup to the desktop and install

ISSUE 3 :

Below error comes when setting up rcu.

Solution: Start OracleXEClrAgent and OracleXETNSListener.Now run rcu.

Till next time :)

How to clear registry and do a clean OBIEE Uninstallation

Hi friends..I will be discussing how to uninstall OBIEE so that we can do a fresh install

UNINSTALL WEBLOGIC

1.       Go to Start –> Control Panel –> Select Oracle Weblogic and click Uninstall/Change



2.       A popup window will open, just follow the below screenshots

UNINSTALL OBIEE

3.       Go to Start –> All Programs –> Oracle Business Intelligence –> Deinstall



4.       A popup window will open to deinstall business intelligence tools. Follow the below screenshots

 UNINSTALL DATABASE

To deinstall Oracle Database XE by using Add or Remove Programs:

1. In the Windows Control Panel, select Add or Remove Programs.
2. Select Oracle Database 11g Express Edition.
3. Click Change/Remove.
4. In the Oracle Database 11g Express Edition - Install Wizard, select Remove, click Next, and then click Yes in the confirmation window. When the deinstallation completes, click Finish.

Reference:
http://docs.oracle.com/cd/E17781_01/install.112/e18803/toc.htm#CIHDDHJD

CLEANUP REGISTRY

1.Go to Run and type regedit. The Registry Editor window appears.

2.Navigate to the locations inside HKEY_LOCAL_MACHINE shown in the screenshot and delete the marked folders.

Deleting the below folder KEY_OH29480770 cleans up the OBIEE installation from registry.

 Deleting the below folder KEY_OH2023886701 cleans up the Weblogic installation from the registry.

Navigate to the services folder as shown below

Inside the services folder navigate to the folder OracleServicesXE and delete that folder.This cleans up the database from the registry

Now uninstallaton is complete. Your system is ready for a new installation. Restart the system and start the fresh installation.


Some interesting discussion on uninstalling Oracle database completely by cleaning up the registry and also on things to take care when installing database on servers.

http://oracle.ittoolbox.com/groups/technical-functional/oracle-db-l/database-installation-successful-but-database-wont-start-4822005?reftrk=no&trdref=4e6577736c6574746572

Till next time..bye :)

Assigning Application role to groups

This is done in enterprise manager.

Click on Application Roles.

Note:
Here we are adding a group testgroup1 in the application role BI Author.
Click the role BI Author.

We have added the group testgroup1 to the application role BI Author by clicking on the Add Group button.
As we can see the groups BI Authors and testgroup1 is now given all the permissions of the application role BI Author.
Also the application role BI Administrator is given all the permissions of application role BI Author.

Starting OPMN

Hey guys..just a small post on how to start OBIEE11G.

1.Start BI Services.

Wait till the status turns to RUNNING

2.Start OPMN

Following are the OPMN commands:

opmnctl status --> to see status of the components.
opmnctl startall --> to start opmn and all associated components.
opmnctl stopall --> to stop opmn and all associated components.
opmnctl stop --> to stop only opmn
opmnctl start --> to start only opmn
opmnctl stop

check the status of components first

Go to the corresponding folder where opmn is present. Rum the following commands:

opmnctl start
opmnctl status

All the components must be down and pid must be N/A.

Now start all OPMN components.

opmnctl startall

Check the status of the components.

opmnctl status

Now we are ready to login to your em and analytics page.


Error debugging:

case1: some of the components are in down status but still it has a pid
case2: some of the components are in stop status

solutions:
1.manually kill the corresponding components

opmnctl stopproc ias-component= <component_name>

2.stop the bi services and start it again.



3.manually start "Oracle WebLogic NodeManager" service from services.msc
4.manually start the opmn related service "OracleProcessManager_instance1" from services.msc

reference:
http://gerardnico.com/wiki/weblogic/opmn