vrijdag 12 april 2013

Submitted Sessions for Oracle Open World and JavaOne 2013

It is again this time of year, were everyone is searching for their best English and write a small piece of text to convince a group of people.  Also we did the same exercise and handed over our papers for Oracle Open World and JavaOne.

Here is our, Contributes, list of papers for 2013:


 ID  Proposed Session Title  Type
TUT4879  Building your stock management solution for no more then $299  Tutorial
CON4907  Making Open-Source & Oracle security best friends. The Mazda story.  Conference Session
CON4872  No SOA without Service Orchestration  Conference Session
CON4901  Score with the right Oracle technology for the right audience. The RBFA story.  Conference Session
CON1846  Taking You from Forms to ADF Mobile: a Journey  User Group Forum (Sunday Only)


I would advice everyone else to do the same, but .... on different topics preferably ;-).

Thanks to everyone who helped building up this list and everyone who is going help to get some talks accepted.

Very much appreciated.

Filip

dinsdag 9 april 2013

Installing HTTP_Server with WebGate

Challenge

Installing an HTTP Server and configure it to be used as entry point for OAM.

Context

OAM 11.1.2 running on WLS 10.3.6.0

Solution

Installing the HTTP_Server
  • Unzipping the HTTP_Server software
    • cd /opt/install/oam
    • mkdir patch6
    • unzip WebTier_11Patch6.zip -d patch6
    • cp patch6/Disk1/stage/Response/WebTierInstallAndConfigure.rsp ./WebTierInstallAndConfigurePatch6.rsp
    • cp patch6/Disk1/stage/Response/staticports.ini .
    • mv staticports.ini webtier_staticport.ini
    • Adapt the WebTierInstallAndConfigurePatch6.rsp
      [ENGINE]
      
      #DO NOT CHANGE THIS.
      Response File Version=1.0.0.0.0
      
      [GENERIC]
      
      #Set this to true if you wish to specify a directory where latest updates are downloaded. This option would use the software updates from the specified directory
      SPECIFY_DOWNLOAD_LOCATION=false
      
      #
      SKIP_SOFTWARE_UPDATES=true
      
      #If the Software updates are already downloaded and available on your local system, then specify the path to the directory where these patches are available and set SPECIFY_DOWNLOAD_LOCATION to true
      SOFTWARE_UPDATES_DOWNLOAD_LOCATION=
      
      #Set this to true if installation and configuration need to be done, all other required variables need to be provided. Variable "INSTALL AND CONFIGURE LATER TYPE" must be set to false if this is set to true as the variables are mutually exclusive
      INSTALL AND CONFIGURE TYPE=true
      
      #Set this to true if only Software only installation need to be done. If this is set to true then variable "INSTALL AND CONFIGURE TYPE" must be set to false, since the variables are mutually exclusive.
      INSTALL AND CONFIGURE LATER TYPE=false
      
      #Provide the Oracle Home location. The Oracle Home directory name may only contain alphanumeric , hyphen (-) , dot (.) and underscore (_) characters, and it must begin with an alphanumeric character. The total length has to be less than or equal to 128 characters. The location has to be an empty directory or a valid WebTier Oracle Home.
      ORACLE_HOME=/u01/app/oam/product/webtier/OHS
      
      #Provide existing Middleware Home location.
      MIDDLEWARE_HOME=/u01/app/oam/product/webtier
      
      #The name of the Oracle Instance. Instance name must begin with an alphabetic character, may only contain alphanumeric characters, or the underscore (_) or hyphen (-) characters and are 4 to 30 characters long.
      INSTANCE_HOME=/u01/app/oam/product/webtier/instances/instance1
      
      #Provide the Oracle Instance location. The Oracle Instance directory name may only contain alphanumeric , hyphen (-) , dot (.) and underscore (_) characters, and it must begin with an alphanumeric character. The total length has to be less than or equal to 128 characters. The location has to be an empty or non existing directory.
      INSTANCE_NAME=instance1
      
      #If set to true, installer will auto assign ports
      AUTOMATIC_PORT_DETECT=false
      
      #This is required if "AUTOMATIC_PORT_DETECT" variable is set to false, absolute path of a staticports file location need to be provided with values for ports.\nThe template for staticports.ini can be found from Disk1/staget/Response directory of the shiphome.
      STATICPORT INI FILE LOCATION=/opt/install/oam/webtier_staticport.ini
      
      #Provide the My Oracle Support Username. If you wish to ignore Oracle Configuration Manager configuration provide empty string for user name.
      MYORACLESUPPORT_USERNAME=
      
      #Provide the My Oracle Support Password
      MYORACLESUPPORT_PASSWORD=
      
      #Set this to true if you wish to decline the security updates. Setting this to true and providing empty string for My Oracle Support username will ignore the Oracle Configuration Manager configuration
      DECLINE_SECURITY_UPDATES=true
      
      #Set this to true if My Oracle Support Password is specified
      SECURITY_UPDATES_VIA_MYORACLESUPPORT=false
      
      #Provide the Proxy Host
      PROXY_HOST=
      
      #Provide the Proxy Port
      PROXY_PORT=
      
      #Provide the Proxy Username
      PROXY_USER=
      
      #Provide the Proxy Password
      PROXY_PWD=
      
      
      [SYSTEM]
      
      #Set true to configure Oracle HTTP Server, else skip Oracle HTTP Server configuration
      CONFIGURE_OHS=true
      
      #Set true to configure Oracle Web Cache, else skip Oracle Web Cache configuration
      CONFIGURE_WEBCACHE=false
      
      #The Oracle HTTP Server (OHS) component name (required only if CONFIGURE_OHS is set to true). OHS component name must begin with an alphabetic character, may only contain alphanumeric characters, or the underscore (_) or hyphen (-) characters and are 4 to 30 characters long.
      OHS_COMPONENT_NAME=ohs1
      
      #The Web Cache component name (required only if CONFIGURE_WEBCACHE is set to true). Web Cache component name must begin with an alphabetic character, may only contain alphanumeric characters, or the underscore (_) or hyphen (-) characters and are 4 to 30 characters long.
      WEBCACHE_COMPONENT_NAME=
      
      #Valid passwords are 5 to 30 characters long, must begin with an alphabetic character, use only alphanumeric, underscore (_), dollar ($) or pound (#) characters and include at least one number.
      WEBCACHE_ADMINISTRATOR_PASSWORD=
      
      #The confirmation password for Web Cache administrator.
      WEBCACHE_ADMINISTRATOR_PASSWORD_CONFIRM=
      
      
      [APPLICATIONS]
      
      
      [RELATIONSHIPS]
      
      #If set to true, the instance and components will be registered with an existing weblogic server
      ASSOCIATE_WEBTIER_WITH_DOMAIN=false
      
      #Provide an existing domain host name. Required only if ASSOCIATE_WEBTIER_WITH_DOMAIN is set to true
      DOMAIN_HOST_NAME=
      
      #Provide the existing domain port number. Required only if ASSOCIATE_WEBTIER_WITH_DOMAIN is set to true
      DOMAIN_PORT_NO=
      
      #Provide the domain user name. Required only if ASSOCIATE_WEBTIER_WITH_DOMAIN is set to true
      DOMAIN_USER_NAME=
      
      #The domain user password. Required only if ASSOCIATE_WEBTIER_WITH_DOMAIN is set to true
      DOMAIN_USER_PASSWORD=
      
    • Adapt the webtier_staticport.ini file
      #######################################################################################
      #This file is a template file for staticports.ini
      #This file must be edited to provide the ports which required to be set
      #Those ports which are not provided explicitly in this file will be assigned automatically
      #The ports should be specified as a single port
      #Keep in mind to uncomment the port no
      #######################################################################################
      
      ########################Begin section for OPMN Port No################################
      ######################################################################################
      
      [OPMN]
      
      #This port indicates the OPMN Local Port
      OPMN Local Port = 6700
      
      #This port indicates the OPMN Local Port
      OPMN Remote Port = 6701
      
      ########################Begin section for ohs component################################
      #This port nos will be considered only if OHS is selected for configuration
      #######################################################################################
      
      [OHS]
      
      #The http_main port for ohs component
      OHS Port = 8888
      
      #This port indicates the OHS Proxy Port
      OHS Proxy Port = 8889
      
      #This port indicates the OHS SSL Port
      OHS SSL Port = 4443
      
      ########################Begin section for Web Cache component################################
      #This port nos will be considered only if Web Cache is selected for configuration
      #######################################################################################
      
      [WEBCACHE]
      
      #The port indicates the Web Cache Listen Port
      #Web Cache Listen Port = 7777
      
      #The port indicates the Web Cache Admin Port
      #Web Cache Admin Port = 7778
      
      #The port indicates the Web Cache Statistics Port
      #Web Cache Statistics Port = 7779
      
      #The port indicates the Web Cache Invalidation Port
      #Web Cache Invalidation Port = 7780
      
      #The port indicates the Web Cache SSL Port
      #Web Cache SSL Port = 7781
      
    I
  • Installing the HTTP_Server software
    • patch6/Disk1/runInstaller -silent -responseFile /opt/install/oam/WebTierInstallAndConfigurePatch6.rsp
    • Result:
      Starting Oracle Universal Installer...
      Checking Temp space: must be greater than 400 MB.   Actual 2380 MB    Passed
      Checking swap space: must be greater than 500 MB.   Actual 16383 MB    Passed
      Preparing  to launch Oracle Universal Installer from  /tmp/OraInstall2013-02-28_10-04-05AM. Please wait ...[oam@oamhost  oam]$ Log:  /u01/app/oracle/product/oraInventory/logs/install2013-02-28_10-04-05AM.log
      Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved.
      Reading response file..
      Expected  result: One of  oracle-6,oracle-5.6,enterprise-5.4,enterprise-4,enterprise-5,redhat-5.4,redhat-4,redhat-5,SuSE-10,SuSE-11
      Actual Result: redhat-Red
      Check complete. The overall result of this check is: Failed <<<<
      Problem: This Oracle software is not certified on the current operating system.
      Recommendation: Make sure you are installing the software on the correct platform.
      Warning: Check:CertifiedVersions failed.
      Expected result: 1024MB
      Actual Result: 15948MB
      Check complete. The overall result of this check is: Passed
      TotalMemory Check: Success.
      Expected result: LD_ASSUME_KERNEL environment variable should not be set in the environment.
      Actual Result: Variable Not set.
      Check complete. The overall result of this check is: Passed
      Check Env Variable Check: Success.
      Verifying data......
      Copying Files...
      -----------20%----------40%----------60%----------80%--------100%
      [oam@oamhost oam]$ [CONFIG] Launching Config Actions....
      Started Configuration:Web Tier Configuration
      [CONFIG]:Create and Start AS Instance (instance1)
      [CONFIG] [Web Tier Configuration] [Create and Start AS Instance (instance1)]:Creating Oracle Instance directories...
      [CONFIG] [Web Tier Configuration] [Create and Start AS Instance (instance1)]:Recording OPMN ports reservations...
      [CONFIG] [Web Tier Configuration] [Create and Start AS Instance (instance1)]:Bootstrapping OPMN configuration files...
      [CONFIG] [Web Tier Configuration] [Create and Start AS Instance (instance1)]:Instantiating opmnctl for direct usage...
      [CONFIG] [Web Tier Configuration] [Create and Start AS Instance (instance1)]:Skipping instance registration
      [CONFIG] SUCCESS:Create and Start AS Instance (instance1)
      [CONFIG]:Create and Start OHS Component (ohs1)
      [CONFIG] [Web Tier Configuration] [Create and Start OHS Component (ohs1)]:Creating empty component directories...
      [CONFIG] [Web Tier Configuration] [Create and Start OHS Component (ohs1)]:Provisioning OHS files for ohs1
      [CONFIG]  [Web Tier Configuration] [Create and Start OHS Component  (ohs1)]:Copying OHS files from ORACLE_HOME to ORACLE_INSTANCE locations
      [CONFIG] [Web Tier Configuration] [Create and Start OHS Component (ohs1)]:Customizing httpd.conf
      [CONFIG] [Web Tier Configuration] [Create and Start OHS Component (ohs1)]:Adding component's process control to OPMN...
      [CONFIG] [Web Tier Configuration] [Create and Start OHS Component (ohs1)]:Skipping ohs1 component registration.
      [CONFIG] [Web Tier Configuration] [Create and Start OHS Component (ohs1)]:Invoking opmn reload...
      [CONFIG] SUCCESS:Create and Start OHS Component (ohs1)
      Configuration:Web Tier Configuration completed successfully
      The installation of Oracle AS Common Toplevel Component, Oracle WebTier and Utilities CD completed successfully.
      
  • Testing the installation: ok
  • Creating start/stop scripts in the /home/oam directory
Installing the WebGate component
  • unzipping software
    • cd /opt/install/oam
    • mkdir webgates
    • unzip AccessManagerWebGates_111200.zip -d webgates
    • cd webgates/Disk1/stage/Response
    • cp WebgateSampleResponse.rsp ../../../../Webgate.rsp
    • Adapt Webgate.rsp
      [ENGINE]
      
      #DO NOT CHANGE THIS.
      Response File Version=1.0.0.0.0
      
      [GENERIC]
      
      #Provide the Oracle Home location. The location has to be the immediate child under the specified Middleware Home location. The Oracle Home directory name may only contain alphanumeric , hyphen (-) , dot (.) and underscore (_) characters, and it must begin with an alphanumeric character. The total length has to be less than or equal to 128 characters.
      ORACLE_HOME=/u01/app/oam/product/webtier/WebGate
      
      #Provide existing Middleware Home location.
      MIDDLEWARE_HOME=/u01/app/oam/product/webtier
      
      #Provide Location of GCC Library.
      GCC_LIBRARY_LOCATION=/usr/lib
      
      [SYSTEM]
      
      
      [APPLICATIONS]
      
      
      [RELATIONSHIPS]
  • Installing the webgate
    • webgates/Disk1/runInstaller -silent -responseFile /opt/install/oam/Webgate.rsp -jreLoc /u01/app/oam/product/jdk1.6.0_39/jre
    • Result
      Starting Oracle Universal Installer...
      Checking if CPU speed is above 300 MHz.    Actual 2933 MHz    Passed
      Checking Temp space: must be greater than 150 MB.   Actual 2380 MB    Passed
      Checking swap space: must be greater than 512 MB.   Actual 16383 MB    Passed
      Preparing  to launch Oracle Universal Installer from  /tmp/OraInstall2013-02-28_10-45-08AM. Please wait ...[oam@oamhost  oam]$ Log:  /u01/app/oracle/product/oraInventory/logs/install2013-02-28_10-45-08AM.log
      Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved.
      Reading response file..
      Expected  result: One of  oracle-6,oracle-5.6,enterprise-5.4,enterprise-4,enterprise-5,redhat-6.1,redhat-6,redhat-5.4,redhat-4,redhat-5,SuSE-10,SuSE-11
      Actual Result: redhat-Red
      Check complete. The overall result of this check is: Failed <<<<
      Problem: This Oracle software is not certified on the current operating system.
      Recommendation: Make sure you are installing the software on the correct platform.
      Warning: Check:CertifiedVersions failed.
      Expected result: 1024MB
      Actual Result: 15948MB
      Check complete. The overall result of this check is: Passed
      TotalMemory Check: Success.
      Verifying data......
      Copying Files...
      -----------20%----------40%----------60%----------80%--------100%
      The installation of oracle.as.webgate.top completed successfully.
      
  • Performing post installation tasks
    • cd /u01/app/oam/product/webtier/WebGate/webgate/ohs/tools/deployWebGate/
    • ./deployWebGateInstance.sh -w /u01/app/oam/product/webtier/instances/instance1/config/OHS/ohs1 -oh /u01/app/oam/product/webtier/WebGate
      Copying files from WebGate Oracle Home to WebGate Instancedir
    • export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/u01/app/oam/product/webtier/OHS/lib:/u01/app/oam/product/webtier/WebGate/webgate/ohs/lib
    • pwd
      /u01/app/oam/product/webtier/WebGate/webgate/ohs/tools/deployWebGate
    • cd ../setup/InstallTools/
    • ./EditHttpConf -w /u01/app/oam/product/webtier/instances/instance1/config/OHS/ohs1 -oh /u01/app/oam/product/webtier/WebGate -o webgate.conf
      The web server configuration file was successfully updated
      /u01/app/oam/product/webtier/instances/instance1/config/OHS/ohs1/httpd.conf has been backed up as /u01/app/oam/product/webtier/instances/instance1/config/OHS/ohs1/httpd.conf.ORIG
  • Registering the new webgate agent
    • Setting up the rreg tool
      • cd /u01/app/oam/product/middleware_home/OAM/oam/server/rreg/client
      • gunzip RREG.tar.gz
      • tar -xvf RREG.tar
      • cd rreg/bin
      • vi oamreg.sh   => setting the java_home directly
    • Updating the /u01/app/oam/product/middleware_home/OAM/oam/server/rreg/client/rreg/input/OAM11gRequest.xml File
      
      
      
      
      
      
          http://oamhost.contribute.be:7001
          RREG_HostId11G
          TestWebTier_WebGateAgent
          http://oamhost.contribute.be:8888
          false
          RREG_OAM11G
          false
          100000
          1800
          3600
          1
          24
          1
          -1
          60
          false
          open
          1
          false
          false
          false
          false
          no-cache
          no-cache
          0
          
             10.11.11.11
             10.11.11.12
             10.11.11.13
          
          
              /logout1.html
              /logout2.html
          
          /oam_logout_success
          end_url
          
      	/**
          
          
              /public/index.html
          
          
              /excluded/index.html
          
          
          
              
                  TestName
                  testValue1
                  testValue2
                  testValue3
              
          	
                  MaxPostDataLength
                  750000
              
          	
                  maxSessionTimeUnits
                  hours
              
              
                  RetainDownstreamPostData
                  false
              
              
                  useIISBuiltinAuthentication
                  false
                  
              
                  URLInUTF8Format
                  true
              
              
                  inactiveReconfigPeriod
                  10
              
              
                  WaitForFailover
                  -1
              
              
                  proxySSLHeaderVar
                  IS_SSL
              
              
                  client_request_retry_attempts
                  1
              
              
                  ContentLengthFor401Response
                  0
               
              
                  SUN61HttpProtocolVersion
                  1.0
               
              
                  impersonationCredentials
                  cred
              
              
                  UseWebGateExtForPassthrough
                  false
               
              
                  syncOperationMode
                  false
              
              
                  filterOAMAuthnCookie
                  true
                                              
          
      
      
      
      
    • ./oamreg.sh inband /u01/app/oam/product/middleware_home/OAM/oam/server/rreg/client/rreg/input/OAM11GRequest.xml
    • Result:
      JAVA_HOME=/u01/app/oam/product/jdk1.6.0_39
      CLASSPATH=./../lib/rreg.jar:./../lib:./../lib/RequestResponse.jar:./../lib/commons-codec-1.3.jar:./../lib/commons-httpclient-3.1.jar:./../lib/commons-logging-1.1.1.jar:./../lib/ojmisc.jar:./../lib/jps-api.jar:./../lib/jps-internal.jar:./../lib/jps-common.jar:./../lib/identitystore.jar:./../lib/identityutils.jar:./../lib/ldapjclnt11.jar:./../lib/dms.jar:./../lib/fmw_audit.jar:./../lib/ojdl.jar:./../lib/oraclepki.jar:./../lib/osdt_cert.jar:./../lib/osdt_core.jar:./../lib/osdt_jce.jar:./../lib/osdt_saml.jar:./../lib/osdt_xmlsec.jar:./../lib/xmlparserv2.jar:./../lib/jps-unsupported-api.jar:./../lib/nap-api.jar:./../lib/utilities.jar:./../lib/jps-ee.jar:.
      OAM_REG_HOME=./..
      ------------------------------------------------
      Welcome to OAM Remote Registration Tool!
      Parameters passed to the registration tool are: 
      Mode: inband
      Filename: /u01/app/oam/product/middleware_home/OAM/oam/server/rreg/client/rreg/input/OAM11GRequest.xml
      Enter admin username:weblogic
      Username: weblogic
      Enter admin password:         
      Do you want to enter a Webgate password?(y/n):
      y
      Enter webgate password:         
      Enter webgate password again:         
      Password accepted. Proceeding to register..
      Feb 28, 2013 1:56:35 PM oracle.security.am.engines.rreg.client.handlers.request.OAM11GRequestHandler getWebgatePassword
      INFO: Passwords matched and accepted.
      
      ----------------------------------------
      Request summary:
      OAM11G Agent Name:TestWebTier_WebGateAgent
      Base URL:http://oamhost.contribute.be:8888
      URL String:RREG_HostId11G
      Registering in Mode:inband
      Your registration request is being sent to the Admin server at:http://oamhost.contribute.be:7001
      ----------------------------------------
      
      Feb 28, 2013 1:56:39 PM oracle.security.jps.util.JpsUtil disableAudit
      INFO: JpsUtil: isAuditDisabled set to true
      Inband registration process completed successfully! Output artifacts are created in the output folder.
      
    • Copying the result to the instance directory of the webgate
      • cd /u01/app/oam/product/middleware_home/OAM/oam/server/rreg/client/rreg/output/TestWebTier_WebGateAgent
      • cp * /u01/app/oam/product/webtier/instances/instance1/config/OHS/ohs1/webgate/config/.
    • Starting the oam_server1
    • Restarting the webtier

 

Configuring OBIEE to use OAM

Challenge

Configuring OBIEE to use OAM as an SSO-solution.

Context

OBIEE 11.1.1.6.0 running on WLS 10.3.5
OAM 11.1.2 running on WLS 10.3.6.0
Both solutions are running on different machines or at lease different images of a virtualization solution.

Solution

After setting up a common ldap provider, like explained in my previous blog, you are ready to connect OBIEE with your OAM environment.
Here are the steps we performed:

Configuring the HTTP_Server to redirect the url's

We are going to make use of the Oracle HTTP_Server to redirect the users to the OAM for authentication and authorization.
  • Installing an HTTP_Server with WebGate.  See this blog for more info.
  • Adapt the /u01/app/oam/product/webtier/instances/instance1/config/OHS/ohs1/mod_wl_ohs.conf to
    # NOTE : This is a template to configure mod_weblogic. 
    
    LoadModule weblogic_module   "${ORACLE_HOME}/ohs/modules/mod_wl_ohs.so"
    
    #  This empty block is needed to save mod_wl related configuration from EM  to this file when changes are made at the Base Virtual Host Level
    <IfModule weblogic_module>
          WebLogicHost oamhost.contribute.be
          WebLogicPort 7001
          Debug ON
          WLLogFile /tmp/weblogic.log
    #      MatchExpression *.jsp
    </IfModule>
    
    # <Location /weblogic>
    #      SetHandler weblogic-handler
    #      PathTrim /weblogic
    #      ErrorPage  http:/WEBLOGIC_HOME:WEBLOGIC_PORT/
    #  </Location>
    
     <Location /analytics>
        SetHandler weblogic-handler
        WebLogicHost obieehost.contribute.be
        WebLogicPort 9704
     </Location>
    
     <Location /mapviewer>
        SetHandler weblogic-handler
        WebLogicHost obieehost.contribute.be
        WebLogicPort 9704
     </Location>
    
     <Location /xmlpserver>
        SetHandler weblogic-handler
        WebLogicHost obieehost.contribute.be
        WebLogicPort 9704
     </Location>
    
  • Restart the HTTP_Server

Configure the OBIEE components to use SSO:

  • Adding a new identity asserter
    • Go to the WLS console : http://obieehost.contribute.be:7001/console
    • Login and go to Security Realms -> MyRealm -> Providers(tab)
    • Create a new provider with
      • Name: OAMProvider
      • Type: OAMIdentityAsserter
    • Edit the newly created provider and set the control flag to SUFFICIENT and make sure that Active Type is set to "OAM_REMOTE_USER"
    • Reorder the providers to the list : OVDAuthenticator - OAMProvider - DefaultAuthenticator - DefaultIdentityAsserter
    • Restart the entire BI-domain
  • Enabling SSO
    • Go to the EM : http://obieehost.contribute.be:7001/em
    • Go to the Business Intelligence (folder on the left) -> coreapplication -> Security (tab) -> Single Sign-On (tab)
    • Enable SSO and set Oracle Access Manager as SSO Provider

    • Restart all OBIEE components

    While using the url's of the HTTP_Server, you should be authenticated through OAM.

    Good luck.

    dinsdag 2 april 2013

    Configuring OBIEE to use OVD as authenticator

    Challenge

    Configuring OBIEE to use OVD as an authenticator, allowing user accounts coming from OVD to login into OBIEE.
    Most of the blogs you find are talking about integrating OID or AD.

    Context

    OBIEE 11.1.1.6.0 running on WLS 10.3.5
    OVD 11.1.1.6.0 running on WLS 10.3.6.0
    Both solutions are running on different machines or at lease different images of a virtualization solution.

    Solution

    Before starting with the technical implementation, we need to clarify something.
    There is no concept of multiple authenticators, the documentation is clearly speaking of "Using Alternative Authentication Providers".  This means that you have 2 choices :
    1. Use the default authenticator: this is the situation ootb.  This means that all users are coming from this default authenticator.  Also the BISystemUser and the OracleSystemUser are stored in this authenticator.  No other authenticators are in place.
    2. Use a different authenticator: being it an OID-authenticator, an AD-authenticator or OVD-authenticator or even a SQL-authenticator.  In this scenario, your new authenticator needs to be the prime one (first in the list of providers in the WLS console) and needs to have all the users and the BISystemUser.  The OracleSystemUser may still reside in the default authenticator.
    While the documentation seems to allow you the option to have both providing user information at the same time, be aware this isn't the case.  Bug 16568236 has been raised for this (this is a documentation bug!).

    Now that we have clarified that fact, we know that when we want to use another authentication provider that we need to go all the way, not just adding the provider to list.  The latter just works for any j2ee application, but not for OBIEE and I believe neither for WebCenter.

    Here are the steps to perform if you want to use OVD as an "Alternative" authentication provider:
    • Configure OVD as a new authenticator in the OBIEE WLS domain.  Clearly identify the attributes you want to use as unique identifier for your entity.  At the customer we used the sn for the readable name of the groups, while the cn has the unique identifier of the group.  OBIEE looks at the name of the group to know which group it is and not the unique identifier.  So make sure that you have the right configuration there.
    • Here is a part of the realm we used :
      <realm>
            <sec:authentication-provider xsi:type="wls:oracle-virtual-directory-authenticatorType">
              <sec:name>OVDAuthenticator</sec:name>
              <sec:control-flag>SUFFICIENT</sec:control-flag>
              <wls:host>ovd.contribute.be</wls:host>
              <wls:port>6501</wls:port>
              <wls:user-object-class>inetOrgPerson</wls:user-object-class>
              <wls:principal>cn=orclAdmin</wls:principal>
              <wls:user-base-dn>ou=users, dc=contribute, dc=be</wls:user-base-dn>
              <wls:group-base-dn>ou=groups, dc=contribute, dc=be</wls:group-base-dn>
              <wls:group-search-scope>onelevel</wls:group-search-scope>
              <wls:group-from-name-filter>(&amp;(sn=%g)(objectclass=groupofUniqueNames))</wls:group-from-name-filter>
              <wls:all-groups-filter>(&amp;(sn=*)(|(objectclass=groupofUniqueNames)(objectclass=groupofurls)))</wls:all-groups-filter>
              <wls:static-group-name-attribute>sn</wls:static-group-name-attribute>
              <wls:dynamic-group-name-attribute>sn</wls:dynamic-group-name-attribute>
              <wls:group-membership-searching>limited</wls:group-membership-searching>
            </sec:authentication-provider>
           
    • Remark: in the config.xml file you only see the attributes that do not correspond to the default value.  That's why not all attributes are mentioned in here. 
    • Restart the entire bi-domain
    • Make sure that you can see your users and the groups.  Also make sure that you can see the group information per user in the WLS-console.  It is normal that you can not change the information of the user, nor the group, nor the group-information of the user.  These are all read-only information.
    • To be able to use users from this authenticator, you need to put all others also on 'SUFFICIENT' and put this authenticator first.
    • Identify the BISystemUser. 
      This user is used for internal communication between the OBIEE components.  This user must reside in the Authenticator that is first in the list of WLS.  The name of this special user may be anything you want.
      • Identify a user in the new OVDAuthenticator.  This user doesn't need any role.  We call this user's username from now on 'bisystemuser'
      • Go to the WLS console
        • Go to Security Realms -> myrealm -> Users and Groups -> Users
          Verify that the bisystemuser appears in the list.
        • Now go to Roles and Policies -> Realm Roles -> Global Roles -> Roles.  Click on the 'View Role Conditions'-link of the Admin role.
        • Now add the bisystemuser as a condition to the list, by clicking on the 'Add Conditions' button. 
          In the following screen select 'User' as predicate list and click on 'Next'. Type 'bisystemuser' in the first field and click the 'Add' button.  Now click on 'Finish'.
          Now the bisystemuser should be added to the condition list.
        • Click on the 'Save'-button
        • Let's do the same thing for the jms module.
          In the WLS console, go to Services -> Messaging -> JMS Modules
        • Click on the BipJmsResource-link.  Go to the Security-tab and then the Policies tab.
        • Now, like with the global roles, add the bisystemuser to the condition list.
        • Make sure that there are no pending changes in the WLS console, otherwise activate them.
      • Perform the following actions in the FMW console
        • Under the WebLogic Domain folder, find the BI-Domain and select it.
        • From the drop down menu, select Security->Credentials
          Now we are going to define which user and his password to use, to communicate with OWSM.
          • Select the record 'system.user', under the 'oracle.bi.system'-folder and click on the 'Edit'-link.
          • Now enter the username and password from the bisystemuser.
        • Now we are going to put this user in the correct application roles.
          • Back on the drop down menu from the BI-domain, select Security->Application Roles
          • In the field 'Application Stripe', select 'obi' and then click on the search image.  Then select the BISystem application role and click on the 'Edit'-link.
          • Now click on the 'Add'-link to add the bisystemuser. 
        • The last step is to specify which attributes from OVD, OBIEE should use.
          • Back on the drop down menu from the BI-domain, select Security->Security Provider Configuration
          • Under the Security Stores, click on the +-sign for Identity Store Provider.  Then click on the Configure-button.
          • Use the Add-link to add the following properties:
            • user.login.attr = cn
            • username.attr = cn
            • virtualize = true
            • PROPERTY_ATTRIBUTE_MAPPING = GUID=sn
              Not sure this does actually anything, it is just that in our stable situation we had this configured.
          • Click on the 'Ok'-button.
      • Stop the entire BI-environment and restart it.
      • When the bi_server1 server is starting, pay attention to the end.  If you see an error, saying that something is wrong with the identity store or the connection to it, then you need to repeat the steps previously mentioned.
    • Move existing users to the new authenticator.
      At this point, you should be able to log-on with the users coming from your OVDAuthenticator.  The following steps are needed, when you already had some users logged-on to the OBIEE server before and you moved them to the OVDAuthenticator. The information for these users in the catalog need to be updated.  This can be done by the following steps:
      • Make a backup of the catalog
        • cd /opt/bi/install/middleware/instances/instance1/bifoundation/OracleBIPresentationServicesComponent/coreapplication_obips1/catalog
        • cp -r <catalog-name> /tmp/<catalog-name>_backup
          You may put the copy anywhere you want, as long as you do not put it under the catalog directory, because refreshing the GUID's will be called for all catalogs under this directory, so also your backup.
      • Make a backup of the repository file(s)
        • cd /opt/bi/install/middleware/instances/instance1/bifoundation/OracleBIServerComponent/coreapplication_obis1
        • cp -r repository /tmp/repository_backup
      • Refresh GUID's: since you moved the users to another authenticator, the users will have different GUID's (Global User ID's).  To sync the information from the catalog with the new users GUID, you need to perform the following steps.  Make sure all users exist in the new authenticator.
        Create a script with the following content
        #!/bin/bash
        export OPMNCTL_HOME=/opt/bi/install/middleware/instances/instance1/bin
        export NQSCONFIG_HOME=/opt/bi/install/middleware/instances/instance1/config/OracleBIServerComponent/coreapplication_obis1
        export   INSTANCECONFIG_HOME=/opt/bi/install/middleware/instances/instance1/config/OracleBIPresentationServicesComponent/coreapplication_obips1
        echo --- STOPPING PRESENTATION SERVICE ---
        $OPMNCTL_HOME/opmnctl stopproc ias-component=coreapplication_obips1
        sleep 1
        echo --- STOPPING BISERVER SERVICE ---
        $OPMNCTL_HOME/opmnctl stopproc ias-component=coreapplication_obis1
        sleep 1
        echo ---  SET FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = YES IN NQSCONFIG ---
        perl  -pi -e 's/FMW_UPDATE_ROLE_AND_USER_REF_GUIDS =  NO/FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = YES/g'  /opt/bi/install/middleware/instances/instance1/config/OracleBIServerComponent/coreapplication_obis1/NQSConfig.INI
        echo ---  SET UpdateAndExit IN instanceconfig ---
        perl  -pi -e  's/UpdateAccountGUIDs>none/UpdateAccountGUIDs>UpdateAndExit/g'  /opt/bi/install/middleware/instances/instance1/config/OracleBIPresentationServicesComponent/coreapplication_obips1/instanceconfig.xml
        echo --- STARTING BISERVER SERVICE ---
        $OPMNCTL_HOME/opmnctl startproc ias-component=coreapplication_obis1
        sleep 5
        echo --- STARTING PRESENTATION SERVICE ---
        $OPMNCTL_HOME/opmnctl startproc ias-component=coreapplication_obips1
        sleep 1
        echo ---  SET FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = NO IN NQSCONFIG ---
        perl  -pi -e 's/FMW_UPDATE_ROLE_AND_USER_REF_GUIDS =  YES/FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = NO/g'  /opt/bi/install/middleware/instances/instance1/config/OracleBIServerComponent/coreapplication_obis1/NQSConfig.INI
        echo ---  SET none IN instanceconfig ---
        perl  -pi -e  's/UpdateAccountGUIDs>UpdateAndExit/UpdateAccountGUIDs>none/g'  /opt/bi/install/middleware/instances/instance1/config/OracleBIPresentationServicesComponent/coreapplication_obips1/instanceconfig.xml
        echo --- stopping all services ---
        $OPMNCTL_HOME/opmnctl stopall
        sleep 10
        echo --- starting all services ---
        $OPMNCTL_HOME/opmnctl startall
        
      • Run the script
      • Restart the entire bi-domain
    • Clean up existing users from the DefaultAuthenticator
      • When you moved your users to the OVDAuthenticator and checked that everything is still working, you can then remove the users from the DefaultAuthenticator.
      • Try this out with a couple of users, before performing the big clean-up
      • Leave the BISystemUser and the OracleSystemUser in place
      • If your users also have weblogic roles, you need to add them to the OVDAuthenticator also.  Just ad a role for a user by his name, for example : adding the "Administrators" role to a user.
      • There is also an option to completely remove the DefaultAuthenticator.  We didn't perform this action.

    Lessons learned

    • If you do not want to move the BISystemUser, then
      • the DefaultAuthenticator and the DefaultIdentityAsserter should be the first in the list
      • All providers should be set on SUFFICIENT
      • Your ProviderAuthenticator should be put last
      • It only works when the users are also in the DefaultAuthenticator
        • They don't have to have roles in this authenticator, this can be left in your custom authenticator
        • The password is also the one from your authenticator
        • They just need an entry in the DefaultAuthenticator
      • Conclusion: if you do not want to use provisioning, then this is an unworkable scenario
    • If you do move the BISystemUser, then
      • your authentication provider should be put first
      • all providers should be on SUFFICIENT
      • all users need to exists in your provider, also the system ones, so BISystemUser
      • No need to have the users in the DefaultAuthenticator
      • You need to move the BISystemUser => you need to refresh the GUID's => take care of the catalog and rpd information => backup !!
      • Before refreshing GUID's, make sure all users exist in the new authenticator


      

    Stopping all WLS-servers with force=true

    Challenge

    You want to stop your weblogic-servers with the option force='true'.  This would drastically reduce the time to stop a WLS-server.

    Solution

    You could change your scripts and add the parameter, but perhaps you don't have control on those scripts.
    There is a place where you can add this option, so it will always be taken into account.
    In the stopWebLogic.sh-file, located in the bin-directory of your domain (typically user_projects/domains/<domain_name>/bin), replace the following line
    echo "shutdown('${SERVER_NAME}','Server', ignoreSessions='true')" >>"shutdown.py"
    
    by
    echo "shutdown('${SERVER_NAME}','Server', force='true', ignoreSessions='true')" >>"shutdown.py"
    

    Perl Exception

    Challenge

    When running perl-scripts, like the oracle opmn command, you receive the following error:
    perl: warning: Setting locale failed.
    perl: warning: Please check that your locale settings:
        LANGUAGE = (unset),
        LC_ALL = (unset),
        LC_CTYPE = "UTF-8",
        LANG = "en_US.UTF-8"
        are supported and installed on your system.
    perl: warning: Falling back to the standard locale ("C").
    

    Solution

    Add the following lines to your script or your profile (like .bash_profile):
    export LC_CTYPE=en_US.UTF-8
    export LC_ALL=en_US.UTF-8