Category Archives: Security

How to reset/change the ‘Administrator’ password in OBIEE, BI Publisher and BI Scheduler

We would like to reset the ‘Administrator’ password for:

i) ‘OBIEE’
ii) ‘BI Publisher’ and
iii) ‘BI Scheduler’

Please provide a solution to perform a password reset.
Solution

The steps to perform this task are below.

The example solution begins by creating a BI Publisher superuser.

On both OBIEE and BI Publisher.

Start username/password:    Administrator/Administrator
After username/password    Administrator/admin3

BI Publisher superuser username/password admin2/admin2

After the test I also proved you could log into OBIEE and click on the preconfigured Dashboard.

Please follow the exact steps below and create the same usernames and passwords to start off with.

1. Take a backup copy of the

c:\OracleBI\xmlp\XMLP\Admin\Configuration\xmlp-server-config.xml

file.
2. Log into BI Publisher
3. Select Admin > Security Center > Security Configuration
4. Enable a Local Superuser called: admin2 with the password admin2
. Click <Apply>

5. Restart oc4j
6. Sign into BI Publisher as  admin2/admin2
This should log in successfully.

7. Log into OBIEE Admintool (Online) and change the Administrator password to ‘admintool’.
8. Check in and save the changes.
9. Log into OBIEE Answers as Administrator/admin3

10. Change the ‘Administrator’ password under the ‘Security Model’ to ‘admin3′. Click <Apply>
11. Restart oc4j
12. Login to BI Publisher as Administrator/admin3
This should log in successfully.

13. Log into OBIEE Answers as Administrator/admin3
14. Click on More Products > BI Publisher
15. This should go straight through to BI Publisher without prompting for a username and password.

If the above method still fails attach your c:\OracleBI\xmlp\XMLP\Admin\Configuration\xmlp-server-config.xml file for comparison. I would expect the encrypted password strings to exactly match my environment.

** BI Scheduler password **

This password can be changed in ‘schconfig’ from the DOS/UNIX command line/shell.
C:\>schconfig
Copyright (c) 1997-2006 Oracle Corporation, All rights reserved

***** Delivers Configuration Menu *****
1 – Configure Scheduler

>>> Enter Choice: 1

***** Scheduler Configuration *****
1 – Database
2 – General
3 – Advanced
0 – Quit

>>> Enter Choice:

>>> Enter Choice: 2

***** Scheduler General Configuration *****
10 – Administrator Name : Administrator
11 – Administrator Password : *****
0 – Quit

>>> Enter Choice: 10, then 11

0 – Quit
0 – Quit
0 – Quit

Quit 3 times and restart all Analytics Services (to bring them back in sync – restarting the BI Scheduler on its own also works, but Job Manager connections may exhibit stale behaviour depending on what has been changed) .

How to set session variables using url variables

The goal is to set session variables using url variables, but can you also do this for the user and password ?
url variable (&Upwd) is not passed to session variable USER_PWD.
The variable USER is correctly passed, the variable USER_PWD is not!

Solution

The steps to set an OBIS session variable via a URL call utilizing the
instanceconfig.xml tag should be as follows

1. Create a session init block that will act as a ‘placeholder’ for the
session variable to be set via the url call – the variable can be set to
anything.

2. Set the ‘Enable any user to set the value’ option for the variable.

3. Add the following tag block to the instanceconfig.xml file anywhere
between the <ServerInstance></ServerInstance> tags:

<Auth>
<UserIdPassword enabled=”true”>
<ParamList>
<Param name=”NQ_SESSION.TEST_VAR”
source=”url”
nameInSource=”SETVAR”/>
</ParamList>
</UserIdPassword>
</Auth>
“TEST_VAR” should match the session variable name (case sensitive).

4. The following option will need to be appended to the OBI url passed –
&SETVAR=’variable value to pass. So a full example would be:
http://localhost:9704/analytics/saw.dll?Dashboard&nqUser=USER001&nqPassword=US
ER001&SETVAR=SomeValue

However, note that you cannot set the value of any System Security Session variable (specifically USER, PROXY, GROUP and WEBGROUPS) using any source method (e.g.: url, cookie, httpHeader) by design. Having this ability would open possible security breaches.

If you attempt to set the USER variable with the following instanceconfig.xml setting:

<Param name=”NQ_SESSION.USER” source=”url” nameInSource=”nquser” />

You will get the following error when using the url: http://localhost:9704/analytics/saw.dll?Dashboard&nquser=user1&nqpassword=public :

nQSError: 10018: Access for the requested connection is refused
nQSError: 1315 You do not have the permission to set the value of the variable :USER

LDAP how restrict the login to members of certain groups in OBIEE?

he question is – if you can mix LDAP and other type of authentication. In one word – yes and no.

Here’s what Oracle suggests:

1. You can have internal authentication and LDAP authentication. eg users in the rpd, and users in the LDAP.

For users not defined in the repository, the presence of a defined session system variable USER determines that external authentication is performed.
So using this method, you can have groups with internal users using the internal security, and groups with users that use the LDAP authentication.

But you cannot mix external table and LDAP authentication for example, as you cannot have different connection pools on same init block.

2. The best option would be to create your own authentication Dll (Custom authentication) so  you will have full control on what systems you will lookup for the user account.
You can write your own DLL in C++ , and have OBI Server invoke it. BI just pass the username/pwd received, and wait for an authenticated/no authenticated message from the dll.

This exists since 10.1.3.2.

We provide an example of such dll.
Location for the sample one: D:\OracleBI\server\SDK\CustomAuthenticatorSamples

I wonder if anyone tried it – I think that at this time, it’d be easier to work around the requirement by using standard methods. Let’s see what John Minkjan might say about it.

Privilegies don’t get shown by default

This has been bugging me for a while. Now, I know what the problem was.

When are Subject Areas and View Privileges visible in the Admin > Manage Privileges link?.

Solution

Definitions:

  • “webserver service” refers to the Web Server Software being used for Siebel Analytics Web (i.e. IIS, iPlanet/Sun ONE or Tomcat)
  • “webclient session” refers to a Siebel Analytics Web session

The functionality is as follows:

1. A Subject Area is stored in a webcat once a user has accessed it via Answers.

2. The Subject Area will be visible in the Admin >Manage Privileges link only if a user has accessed the Answers link.

3. Subject Areas will persist for the life of the webcat, but will not be accessible via the Admin > Manage Privileges link after the webserver services have been stopped and restarted. They will only be accessible once a user (any user) has accessed the Answers page in a webclient session.

4. The behavior described in Step 3 ensures that potentially archived, deleted or renamed subject areas are not visible for setting privileges.

5. The View privileges will also not be accessible via the Admin > Manage Privileges link after a webserver service recycle until and unless a user (any user) has accessed it in a webclient session.

a. When you run a request, the following privileges become visible in the Admin > Manage Privileges link
View Compound
View Filters
View Narrative
View Nested Request
View Pivot Table
View Logical SQL
View Table
View Ticker
View Title

b. When the user clicks on “Customize View”, the following privileges become visible:
View Create Segment
View Chart

c. When the user clicks on Views Tab, the following privileges become visible:
View Question
View Column Filter
View Global Filter
View Image

How do you enable SSO for an embedded OBIEE Report in Hyperion Workspace 9.3.1?

OBI EE and Hyperion Workspace / Smartspace integration was only introduced in EPM 11.1.1 and OBI EE 10.1.3.4.

To be able to have a seemless integration (No OBI EE Login Screen) when navigating from Hyperion Workspace 9.3.1 to OBI EE 10.1.3.4 you have the following options which might meet your implementation requirement: –

1) Use the ‘&NQUser=uuu&NQPassword=ppp’ URL arguments.

These are detailed in the section ‘Incorporating Oracle Business Intelligence Results into External Portals or Applications Using the Go URL’ of the Presentation Server Guide.

2) Enable OBI EE to use SSO. We support any SSO Vendor (SiteMinder, ClearTrust, Oracle SSO, Java SSO, etc…) which supports either HTTP Headers, Server Variables or Cookies.

Please see Chapters 8 and 10 of the Deployment Guide for more information on this area of functionality.

Neither of these options have been designed specifically for Workspace, but they should give you a generic option to implement a solution where no login is required when navigating to OBI EE from Workspace.

3) Just create a custom Init Block and custom session variable. Make the session variable to be initialized with the password. The query for the password initialization would be

SELECT ‘:PASSWORD’ FROM DUAL

Now, go to answers and create a report which would generate the Smartcut link. To this link pass the username (through the USER system session variable) and the password (through the custom session variable above). This will enable seamless login.

4) Enable BI EE to use the Table Authentication method, where usernames and passwords are stored in a database table. Passwords would be stored in encrypted form using obfuscation packages provided with the database.

Then create a report which would generate the Smartcut link. To this link pass the username (through the USER system session variable) and the password (through EVALUATE and a reverse obfuscation package function which would return the password in clearcase) in the report.
Then just use this report in the dashboard for providing the link. This will provide a seamless login.

5) I believe Workspace supports Impersonation. Technical Support have not tested this but it should work if the impersonation is possible. Using the same report approach above pass the Administrator username and password in the URL (these would be static) and also pass the actual BI EE username as the impersonation user in the URL. Provider services and Essbase JAPI support impersonation. We assume Workspace should support that as well. But of course, if its not supported then this would not work. Please liaise with Hyperion Technical Support or a Consultancy Department like Expert Services to look into this option further.

The above options are only supplied as possible workarounds, but Technical Support highly recommends that you upgrade to Hyperion Workspace 11.1.1 so you can leverage the built-in integration functionality.