Changing EBS Datasource APPS Password in OBIA/BIAPPS

Changing EBS Datasource APPS Password in OBIA/BIAPPS

Step 1 Drop and recreate Database Link with New APPS Password
Drop DBLINK
DROP PUBLIC DATABASE LINK "ERPPROD.WORLD@DSN_90";

Create New DBLINK
CREATE PUBLIC DATABASE LINK "ERPPROD.WORLD@DSN_90"
CONNECT TO APPS
IDENTIFIED BY newpassword
USING 'ERPPROD';

Step 2 Update EBS Datasource with new APPS Password in BI Configuration Manager.
To update the new password in source system (EBS Datasource).
Login to BI Application Configuration Manager  http://bi.mydomain.com:9704/biacm
Click on Define Business Intelligence Applications Instance

Click on Edit Button

Click Next

In the Edit Connection Details, Update new Apps Password and Click on Test

Save and Close the Window

Step 3 Update ODI EBS DataSource with new APPS Password
Login the ODI studio
Update apps password for ODI_DS Data source

Update apps password for ERPPROD Data source

Step 4 Update new APPS Password in Repository (RPD) file
Required for analytics 

Login to BI Administration Tool
Open Repository online

Select Oracle EBS OLTP in the Physical Layer

Right Click on Oracle EBS OLTP and select Properties

Click Yes for Check-Out

Select Oracle EBS OLTP InitBlock Connection Pool and Click Edit Button

Click Yes for Check-Out

Type new apps Password  and click Ok

Changing Weblogic Password in OBIEE

Changing Weblogic Password in OBIEE

1. Go to the WebLogic Administration Console (http://hostname:7001/console).

2. Navigate Security Realm > Users and Groups > weblogic > passwords

3. Change the password for weblogic and save.

4. Navigate bifoundation_domain > Security > EmbeddedLDAP

Press "Lock & Edit."
Check the option "Refresh Replica At Startup" and save.
Press "Activate Changes."

This option "Refresh Replica At Startup" described as "Specifies whether the embedded LDAP server in a Managed Server should refresh all replicated data at boot time. This setting is useful if you have made many changes when the Managed Server was not active, and you want to download the entire replica instead of having the Administration Server push each change to the Managed Server." in the documentation.

5. Stop Admin Server.

6. Delete boot.properties from the following directories.
<MIDDLEWARE_HOME>/user_projects/domains/bifoundation_domain/servers/AdminServer/security
<MIDDLEWARE_HOME>/user_projects/domains/bifoundation_domain/servers/bi_server1/security

7. Create a new boot.properties file and placed under the above directories:
username=weblogic
password=mypassword
(Note: Please, replace "mypassword" with the actual password that you want to set.)
For further information on boot.properties, please check the Note 1265834.1 How To Start WebLogic Admin And OBIEE 11g Managed Servers Without Prompting Administrator Username And Password On Unix Environments.
Once the Admin Server or bi_server1 is started for the first time, credentials in the boot.properties file are automatically encrypted.

8. Start Admin Server. Admin Server has been started with a new password for weblogic.

9. Start bi_server1.

10. Start opmn components.

Reference:
OBIEE 11g: bi_server1 Failed to Start After Changing Weblogic User Password (Doc ID 2223465.1)
OBIA 11g: How to Change BI Applications System Account Passwords (Doc ID 1613764.1)

When Login to ODI 11g Studio Integrated With BI Apps 11.1.1.7.1 later "ODI-10199: Incorrect ODI username or password"

Following command used to generate new wallet on BI

Reference: (Doc ID 1913660.1)

[applbi3@bitest03 ~]$ /u01/oracle/Middleware/Oracle_BI1/common/bin/wlst.sh /u01/oracle/Middleware/Oracle_BI1/bifoundation/install/createJPSArtifactsODI.py embedded --ADMIN_USER_NAME weblogic --DOMAIN_HOSTNAME bitest03.plsa.com.sa --DOMAIN_PORT 7001 --DOMAIN_HOME_PATH /u01/oracle/Middleware/user_projects/domains/bifoundation_domain

CLASSPATH=/u01/oracle/Middleware/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/u01/oracle/Middleware/patch_ocp371/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/u01/oracle/jdk/lib/tools.jar:/u01/oracle/Middleware/wlserver_10.3/server/lib/weblogic_sp.jar:/u01/oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar:/u01/oracle/Middleware/modules/features/weblogic.server.modules_10.3.6.0.jar:/u01/oracle/Middleware/wlserver_10.3/server/lib/webservices.jar:/u01/oracle/Middleware/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/u01/oracle/Middleware/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar::/u01/oracle/Middleware/Oracle_BI1/common/wlst/lib/webcenter-admin-commands.jar:/u01/oracle/Middleware/Oracle_BI1/analytics-collector/archives/applications/analytics-collector-jee.jar:/u01/oracle/Middleware/Oracle_BI1/common/wlst/lib/webcenter-admin-commands.jar:/u01/oracle/Middleware/oracle_common/modules/oracle.jrf_11.1.1/jrf-wlstman.jar:/u01/oracle/Middleware/oracle_common/common/wlst/lib/adfscripting.jar:/u01/oracle/Middleware/oracle_common/common/wlst/lib/adf-share-mbeans-wlst.jar:/u01/oracle/Middleware/oracle_common/common/wlst/lib/mdswlst.jar:/u01/oracle/Middleware/oracle_common/common/wlst/resources/auditwlst.jar:/u01/oracle/Middleware/oracle_common/common/wlst/resources/igfwlsthelp.jar:/u01/oracle/Middleware/oracle_common/common/wlst/resources/jps-wlst.jar:/u01/oracle/Middleware/oracle_common/common/wlst/resources/jps-wls-trustprovider.jar:/u01/oracle/Middleware/oracle_common/common/wlst/resources/jrf-wlst.jar:/u01/oracle/Middleware/oracle_common/common/wlst/resources/oamap_help.jar:/u01/oracle/Middleware/oracle_common/common/wlst/resources/oamAuthnProvider.jar:/u01/oracle/Middleware/oracle_common/common/wlst/resources/ossoiap_help.jar:/u01/oracle/Middleware/oracle_common/common/wlst/resources/ossoiap.jar:/u01/oracle/Middleware/oracle_common/common/wlst/resources/ovdwlsthelp.jar:/u01/oracle/Middleware/oracle_common/common/wlst/resources/sslconfigwlst.jar:/u01/oracle/Middleware/oracle_common/common/wlst/resources/wsm-wlst.jar:/u01/oracle/Middleware/utils/config/10.3/config-launch.jar::/u01/oracle/Middleware/wlserver_10.3/common/derby/lib/derbynet.jar:/u01/oracle/Middleware/wlserver_10.3/common/derby/lib/derbyclient.jar:/u01/oracle/Middleware/wlserver_10.3/common/derby/lib/derbytools.jar::

Picked up _JAVA_OPTIONS: -Djava.io.tmpdir=/u01/tmp

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

[Enter the password for user :weblogic]

Connecting to t3://bitest03.plsa.com.sa:7001 with userid weblogic ...

Successfully connected to Admin Server 'AdminServer' that belongs to domain 'bifoundation_domain'.

Warning: An insecure protocol was used to connect to the

server. To ensure on-the-wire security, the SSL port or

Admin port should be used instead.

Disconnected from weblogic server: AdminServer

jps-config file created successfully

jps-config-jse.xml file created successfully at:/u01/oracle/Middleware/user_projects/domains/bifoundation_domain/odi-client-config/embedded/jps-config-jse.xml

Connecting to t3://bitest03.plsa.com.sa:7001 with userid weblogic ...

Successfully connected to Admin Server 'AdminServer' that belongs to domain 'bifoundation_domain'.

Warning: An insecure protocol was used to connect to the

server. To ensure on-the-wire security, the SSL port or

Admin port should be used instead.

Creating Bootstrap Credential

Mar 04, 2018 12:04:00 PM oracle.security.jps.internal.config.xml.XmlConfigurationFactory validateFileLocation

INFO: JPS CONFIG:/u01/oracle/Middleware/user_projects/domains/bifoundation_domain/odi-client-config/embedded/jps-config-jse.xml

Mar 04, 2018 12:04:00 PM oracle.security.jps.internal.common.util.XmlSchemaValidationUtil$StrictErrorHandler warning

WARNING: Invalid xml content was found. SchemaLocation: schemaLocation value = 'http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd' must have even number of URI's. Location: line 1 column 310.

key updated succesfully

credential updated successfully

Disconnected from weblogic server: AdminServer

JPS config file and credential wallet at location: /u01/oracle/Middleware/user_projects/domains/bifoundation_domain/odi-client-config/embedded

[applbi3@bitest03 ~]$ cp /u01/oracle/Middleware/user_projects/domains/bifoundation_domain/odi-client-config/embedded/cwallet.sso /u01/oracle/Middleware/Oracle_ODI1/oracledi/client/odi/bin/

[applbi3@bitest03 ~]$ cp /u01/oracle/Middleware/user_projects/domains/bifoundation_domain/odi-client-config/embedded/jps-config-jse.xml /u01/oracle/Middleware/Oracle_ODI1/oracledi/client/odi/bin/

Copied new cwallet.sso and jps-config-jse.xml client Oracle_ODI\oracledi\client\odi\bin

You can able to login ODI Studio.

Configuring Active Directory as the Authentication Provider (OBIEE 11.1.1.9)

Configuring Active Directory as the Authentication Provider (OBIEE 11.1.1.9)

Purpose:

Connecting the OBIEE WebLogic LDAP server to Microsoft Active Directory, so users can log-into the dashboard using their Windows Active Directory username and password, and retrieve group membership.

Whilst OBIEE comes with the embedded WebLogic LDAP server to hold users and groups, the license for this is restricted such that you can't just move all users from other applications into the LDAP server.

If you search in the internet and Oracle docs for instructions on how to integrate OBIEE 11g with Active Directory, there are many different ways to do it with set of instructions.

A lot of this is because Active Directory is highly-configurable, and a lot depends on how much you want to replace, or just work alongside, the existing WLS LDAP server.

Our objective is to keep the WLS LDAP server and the user accounts within it and then make it possible for Active Directory users also log in and be assigned to the standard application roles that the WLS LDAP users have.

Procedure:

This procedure illustrates how to configure Oracle Business Intelligence to use Active Directory.

 Before starting the configuration, we need the following Active Director users and groups as below.

    ADbiapps, will be used as the principal that OBIEE uses to connect to the Active Directory server

    ADBISystemUser a user on Active Directory who wants to have administration rights in the Presentation Server and BI Server

Above users are organized into three groups in the AD server:

    ADBIAdministrators, analogous to the BIAdministrators group in the WLS LDAP server

    ADBIAuthors, analogous to the BIAuthors group in the WLS LDAP server

    ADBIConsumers, analogous to the BIConsumers group in the WLS LDAP server

The groups have just got those users as members, and the users are just regular AD users, including the ADBISystemUser account.

Let's go into the WebLogic Server Administration Console http://[machine_name]:7001/console) and start configuring the system for Active Directory integration.

To configure Active Directory as the Authentication Provider:

1. Log in to Oracle WebLogic Server Administration Console, and click Lock & Edit in the Change Center.

2. Select Security Realms from the left pane and click myrealm.

The default Security Realm is named myrealm.

3. Display the Providers tab, then display the Authentication sub-tab.

4. Click New to launch the Create a New Authentication Provider page.

5. Enter values in the Create a New Authentication Provider page as follows:

• Name: Enter a name for the authentication provider. For example, ADAuthenticator.
• Type: Select ActiveDirectoryAuthenticator from the list.
• Click OK to save the changes and display the authentication providers list updated with the new authentication provider.

6. Now click on this new authentication provider in the list, and then when the Settings for ADProvider page is shown, set the Control Flag to SUFFICIENT, and press Save.

7. Click DefaultAuthenticator in the Name column to display the Settings page.
8. In the Common Authentication Provider Settings page, change the Control Flag from REQUIRED to SUFFICIENT and click Save.

 

Then, again click on Providers and with the list of authentication providers displayed, press the Reorder button. 

Change the order of the providers so that MSADProvider is first, followed by DefaultAuthenticator, DefaultIdentityAsserter and TrustServiceIdAsserter

Click ok.

With the list of authentication providers displayed Click on MSADProvider

Click on the Provider Specific tab

Enter the following details for your Active Directory installation, amending the settings as appropriate for your AD server.

Provider Specific
Connection
Host:	10.10.2.76
Port:	389
Principal:	CN=ADbiapps,DC=GLC,DC=COM,DC=SA
Credential:
Confirm Credential:
Users
User Base DN:	DC=GLC,DC=COM,DC=SA
User From Name Filter:	(&(sAMAccountName=%u)(objectclass=user))
User Name Attribute:	sAMAccountName
Groups
Group Base DN:	DC=GLC,DC=COM,DC=SA
Group From Name Filter:	(&(sAMAccountName=%g)(objectclass=group))
Static Groups
Static Group Name Attribute:	sAMAccountName

Click Save.

In the Change Center, click Activate Changes.

Restart Oracle WebLogic Server.

Once complete, log in again into the WebLogic Admin Console and select Security Realms > myrealm > Users and Groups. You should then see the Active Directory users listed alongside the WLS LDAP ones.

Next we will switch over to Enterprise Manager, first to configure Fusion Middleware's Oracle Platform Security Services to accept users and groups from both WLS LDAP and Active Directory when logging into the dashboard, and then we'll map the Active Directory groups to their equivalent application roles.

Log into Enterprise Manager, and select the WebLogic Domain > bifoundation_domain menu item on the left. Right-click on it and select Security> Security Provider Configuration. When the Security Provider Configurationpage is displayed, expand the Identity Store Provider area and press the Configure… button.

The Identity Store Configuration page will then be displayed. Press the Add button next to the Custom Properties area, and add a new custom property with these settings :

Property Name : virtualize
Value : true

Press OK to close the page.

Update the system.user key points to an existing user BISystemUser in Active Directory, then the system.user Credential Key will have be updated from Enterprise manager Credential Store (to point to the correct user/password

Edit Key > Select map= oracle.bi.system 

Key = system.user
TYpe = Password
User name = this should be your AD user
Password= password for AD user

Now right-click on the Business Intelligence > coreapplication entry in the left-hand side menu, and select Security > Application Roles. As you may have done with the application role settings in yesterday's postings, edit the BIAdministrator, BIAuthor and BIConsumer application roles so that the new Active Directory groups are listed as members.

Doing this ensures that the Active Directory users get the same type of Presentation Server and repository privileges as WLS LDAP users, but they won't have administration access to WebLogic or Enterprise Manager. 

Add AD User ADBISystemUser are mapped to Application Roles
Log in to Weblogic Admin console > Security Realms from the left-hand menu > drill on your security realm in the main screen (e.g. myrealm)
> Roles and Policies Tab >expand Global Roles> then Roles, then click on the link marked View Role Conditions
For the OBIEE application role eg "Apptester" you should see the corresponding AD group in View Role Conditions eg Group=Apptester (created on AD)

·  Doing this ensures that the Active Directory users get the same type of Presentation Server and repository privileges as WLS LDAP users, but they won't have administration access to WebLogic or Enterprise Manager.

You can, if you want, grant these users the same sorts of domain administrator rights as the WLS LDAP users, and you can indeed remove all of the WLS LDAP users and groups and move over to Active Directory entirely. But in most cases I see, this level of integration is sufficient, as it still allows the OBIEE administrators to control their own user accounts and privileges.

·  You should now be able to log in as one of the Active Directory users. In the screenshot below, the AD User user has logged in, and has been granted the BIAuthor role through their membership of the ADBIAuthors Active Directory group. If Anne Administrator, an Active Directory user assigned to the ADBIAdministrator group, logs in she will be able to administer the Presentation Server permissions and privileges, but she won't be able to log into Enterprise Manager to change the repository, for example.

Useful Links and Oracle Doc ID’s

After Upgrade from OBIEE 10g Unable To Login To OBIEE 11g : "Unable to find user in identity store" (Doc ID 1482788.1)

OBIEE 11g: Alert: Users Unable to Log in to OBIEE 11.1.1.9 if Using MSAD or Other Third-Party LDAP as the Identity Store and Virtualization is Set to true. (Doc ID 2016571.1)

OBIEE 11g: How To Setup ADSI LDAP Security Provider (Doc ID 1273961.1)

https://www.rittmanmead.com/blog/2010/11/oracle-bi-ee-11g-security-integration-with-microsoft-active-directory/

https://www.rittmanmead.com/blog/2010/11/oracle-bi-ee-11g-security-integration-with-microsoft-active-directory/

http://paulcannon-bi.blogspot.com/2012/07/configuring-ldap-authentication-for.html

https://docs.oracle.com/middleware/11119/biee/BIESC/privileges.htm#BABBCEFH

https://www.rittmanmead.com/blog/2012/03/obiee-11g-security-week-connecting-to-active-directory-and-obtaining-group-membership-from-database-tables

ETL Phases

Oracle BI Applications ETL processes includes three main phases: SDE, SIL, and PLP.

• SDE stands for Source Dependent Extract. In this phase, SDE tasks extract data from the source system and SDS and stage it in staging tables. SDE tasks are source specific.

• SIL stands for Source Independent Load. Load tasks transform and port the data from staging tables to base fact or dimension tables. SIL tasks are source independent.
• PLP stands Post Load Process. PLP tasks are only executed after the dimension and fact tables are populated. A typical usage of a PLP task is to transform data from a base fact table and load it into an aggregate table. PLP tasks are source independent.