Changing Weblogic Password in OBIEE

Changing Weblogic Password in OBIEE

1. Go to the WebLogic Administration Console (http://hostname:7001/console).

2. Navigate Security Realm > Users and Groups > weblogic > passwords

3. Change the password for weblogic and save.

4. Navigate bifoundation_domain > Security > EmbeddedLDAP

Press "Lock & Edit."
Check the option "Refresh Replica At Startup" and save.
Press "Activate Changes."

This option "Refresh Replica At Startup" described as "Specifies whether the embedded LDAP server in a Managed Server should refresh all replicated data at boot time. This setting is useful if you have made many changes when the Managed Server was not active, and you want to download the entire replica instead of having the Administration Server push each change to the Managed Server." in the documentation.

5. Stop Admin Server.

6. Delete boot.properties from the following directories.
<MIDDLEWARE_HOME>/user_projects/domains/bifoundation_domain/servers/AdminServer/security
<MIDDLEWARE_HOME>/user_projects/domains/bifoundation_domain/servers/bi_server1/security

7. Create a new boot.properties file and placed under the above directories:
username=weblogic
password=mypassword
(Note: Please, replace "mypassword" with the actual password that you want to set.)
For further information on boot.properties, please check the Note 1265834.1 How To Start WebLogic Admin And OBIEE 11g Managed Servers Without Prompting Administrator Username And Password On Unix Environments.
Once the Admin Server or bi_server1 is started for the first time, credentials in the boot.properties file are automatically encrypted.

8. Start Admin Server. Admin Server has been started with a new password for weblogic.

9. Start bi_server1.

10. Start opmn components.

Reference:
OBIEE 11g: bi_server1 Failed to Start After Changing Weblogic User Password (Doc ID 2223465.1)
OBIA 11g: How to Change BI Applications System Account Passwords (Doc ID 1613764.1)

Configuring Active Directory as the Authentication Provider (OBIEE 11.1.1.9)

Configuring Active Directory as the Authentication Provider (OBIEE 11.1.1.9)

Purpose:

Connecting the OBIEE WebLogic LDAP server to Microsoft Active Directory, so users can log-into the dashboard using their Windows Active Directory username and password, and retrieve group membership.

Whilst OBIEE comes with the embedded WebLogic LDAP server to hold users and groups, the license for this is restricted such that you can't just move all users from other applications into the LDAP server.

If you search in the internet and Oracle docs for instructions on how to integrate OBIEE 11g with Active Directory, there are many different ways to do it with set of instructions.

A lot of this is because Active Directory is highly-configurable, and a lot depends on how much you want to replace, or just work alongside, the existing WLS LDAP server.

Our objective is to keep the WLS LDAP server and the user accounts within it and then make it possible for Active Directory users also log in and be assigned to the standard application roles that the WLS LDAP users have.

Procedure:

This procedure illustrates how to configure Oracle Business Intelligence to use Active Directory.

 Before starting the configuration, we need the following Active Director users and groups as below.

    ADbiapps, will be used as the principal that OBIEE uses to connect to the Active Directory server

    ADBISystemUser a user on Active Directory who wants to have administration rights in the Presentation Server and BI Server

Above users are organized into three groups in the AD server:

    ADBIAdministrators, analogous to the BIAdministrators group in the WLS LDAP server

    ADBIAuthors, analogous to the BIAuthors group in the WLS LDAP server

    ADBIConsumers, analogous to the BIConsumers group in the WLS LDAP server

The groups have just got those users as members, and the users are just regular AD users, including the ADBISystemUser account.

Let's go into the WebLogic Server Administration Console http://[machine_name]:7001/console) and start configuring the system for Active Directory integration.

To configure Active Directory as the Authentication Provider:

1. Log in to Oracle WebLogic Server Administration Console, and click Lock & Edit in the Change Center.

2. Select Security Realms from the left pane and click myrealm.

The default Security Realm is named myrealm.

3. Display the Providers tab, then display the Authentication sub-tab.

4. Click New to launch the Create a New Authentication Provider page.

5. Enter values in the Create a New Authentication Provider page as follows:

• Name: Enter a name for the authentication provider. For example, ADAuthenticator.
• Type: Select ActiveDirectoryAuthenticator from the list.
• Click OK to save the changes and display the authentication providers list updated with the new authentication provider.

6. Now click on this new authentication provider in the list, and then when the Settings for ADProvider page is shown, set the Control Flag to SUFFICIENT, and press Save.

7. Click DefaultAuthenticator in the Name column to display the Settings page.
8. In the Common Authentication Provider Settings page, change the Control Flag from REQUIRED to SUFFICIENT and click Save.

 

Then, again click on Providers and with the list of authentication providers displayed, press the Reorder button. 

Change the order of the providers so that MSADProvider is first, followed by DefaultAuthenticator, DefaultIdentityAsserter and TrustServiceIdAsserter

Click ok.

With the list of authentication providers displayed Click on MSADProvider

Click on the Provider Specific tab

Enter the following details for your Active Directory installation, amending the settings as appropriate for your AD server.

Provider Specific
Connection
Host:	10.10.2.76
Port:	389
Principal:	CN=ADbiapps,DC=GLC,DC=COM,DC=SA
Credential:
Confirm Credential:
Users
User Base DN:	DC=GLC,DC=COM,DC=SA
User From Name Filter:	(&(sAMAccountName=%u)(objectclass=user))
User Name Attribute:	sAMAccountName
Groups
Group Base DN:	DC=GLC,DC=COM,DC=SA
Group From Name Filter:	(&(sAMAccountName=%g)(objectclass=group))
Static Groups
Static Group Name Attribute:	sAMAccountName

Click Save.

In the Change Center, click Activate Changes.

Restart Oracle WebLogic Server.

Once complete, log in again into the WebLogic Admin Console and select Security Realms > myrealm > Users and Groups. You should then see the Active Directory users listed alongside the WLS LDAP ones.

Next we will switch over to Enterprise Manager, first to configure Fusion Middleware's Oracle Platform Security Services to accept users and groups from both WLS LDAP and Active Directory when logging into the dashboard, and then we'll map the Active Directory groups to their equivalent application roles.

Log into Enterprise Manager, and select the WebLogic Domain > bifoundation_domain menu item on the left. Right-click on it and select Security> Security Provider Configuration. When the Security Provider Configurationpage is displayed, expand the Identity Store Provider area and press the Configure… button.

The Identity Store Configuration page will then be displayed. Press the Add button next to the Custom Properties area, and add a new custom property with these settings :

Property Name : virtualize
Value : true

Press OK to close the page.

Update the system.user key points to an existing user BISystemUser in Active Directory, then the system.user Credential Key will have be updated from Enterprise manager Credential Store (to point to the correct user/password

Edit Key > Select map= oracle.bi.system 

Key = system.user
TYpe = Password
User name = this should be your AD user
Password= password for AD user

Now right-click on the Business Intelligence > coreapplication entry in the left-hand side menu, and select Security > Application Roles. As you may have done with the application role settings in yesterday's postings, edit the BIAdministrator, BIAuthor and BIConsumer application roles so that the new Active Directory groups are listed as members.

Doing this ensures that the Active Directory users get the same type of Presentation Server and repository privileges as WLS LDAP users, but they won't have administration access to WebLogic or Enterprise Manager. 

Add AD User ADBISystemUser are mapped to Application Roles
Log in to Weblogic Admin console > Security Realms from the left-hand menu > drill on your security realm in the main screen (e.g. myrealm)
> Roles and Policies Tab >expand Global Roles> then Roles, then click on the link marked View Role Conditions
For the OBIEE application role eg "Apptester" you should see the corresponding AD group in View Role Conditions eg Group=Apptester (created on AD)

·  Doing this ensures that the Active Directory users get the same type of Presentation Server and repository privileges as WLS LDAP users, but they won't have administration access to WebLogic or Enterprise Manager.

You can, if you want, grant these users the same sorts of domain administrator rights as the WLS LDAP users, and you can indeed remove all of the WLS LDAP users and groups and move over to Active Directory entirely. But in most cases I see, this level of integration is sufficient, as it still allows the OBIEE administrators to control their own user accounts and privileges.

·  You should now be able to log in as one of the Active Directory users. In the screenshot below, the AD User user has logged in, and has been granted the BIAuthor role through their membership of the ADBIAuthors Active Directory group. If Anne Administrator, an Active Directory user assigned to the ADBIAdministrator group, logs in she will be able to administer the Presentation Server permissions and privileges, but she won't be able to log into Enterprise Manager to change the repository, for example.

Useful Links and Oracle Doc ID’s

After Upgrade from OBIEE 10g Unable To Login To OBIEE 11g : "Unable to find user in identity store" (Doc ID 1482788.1)

OBIEE 11g: Alert: Users Unable to Log in to OBIEE 11.1.1.9 if Using MSAD or Other Third-Party LDAP as the Identity Store and Virtualization is Set to true. (Doc ID 2016571.1)

OBIEE 11g: How To Setup ADSI LDAP Security Provider (Doc ID 1273961.1)

https://www.rittmanmead.com/blog/2010/11/oracle-bi-ee-11g-security-integration-with-microsoft-active-directory/

https://www.rittmanmead.com/blog/2010/11/oracle-bi-ee-11g-security-integration-with-microsoft-active-directory/

http://paulcannon-bi.blogspot.com/2012/07/configuring-ldap-authentication-for.html

https://docs.oracle.com/middleware/11119/biee/BIESC/privileges.htm#BABBCEFH

https://www.rittmanmead.com/blog/2012/03/obiee-11g-security-week-connecting-to-active-directory-and-obtaining-group-membership-from-database-tables

EBS R12.2. Start and Stop Procedure (Individual Components) on Application Tier

Stop/Start Individual services EBS 12.2

Scripts Location:$ADMIN_SCRIPTS_HOME

Stop

Component	Command
Fullfillment Serer Services	$jtffmctl.sh stop
Concurrent Manager Service	$adcmctl.sh stop apps/apps
Managed Server for Forms web  Services	$admanagedsrvctl.sh stop forms-c4ws_server1 Enter Weblogic Admin Password:
Managed Server for Fusion MiddleWare  Services	$admanagedsrvctl.sh stop oafm_server1 Enter Weblogic Admin Password:
Managed Server for FormsServices	$admanagedsrvctl.sh stop forms_server1 Enter Weblogic Admin Password:
Managed Server for OACORE Services	$admanagedsrvctl.sh stop oacore_server1 Enter Weblogic Admin Password:
Apache Services	$adapchctl.sh stop
Oracle Process Manager	$adopmnctl.sh stop
Application Listener	$adadlctl stop
Weblogic Admin Server	$adadminsrvctl.sh stop Enter Weblogic Admin Password:
Node Manager	$adnodemgrctl.sh stop Enter Weblogic Admin Password:

Start

Component	Command
Node Manager	$adnodemgrctl.sh start Enter Weblogic Admin Password:
Weblogic Admin Server	$adadminsrvctl.sh start Enter Weblogic Admin Password:
Application Listener	$adadlctl start
Oracle Process Manager	$adopmnctl.sh start
Apache Services	$adapchctl.sh start
Managed Server for OACORE Services	$admanagedsrvctl.sh start oacore_server1 Enter Weblogic Admin Password:
Managed Server for FormsServices	$admanagedsrvctl.sh start forms_server1 Enter Weblogic Admin Password:
Managed Server for Fusion MiddleWare  Services	$admanagedsrvctl.sh start oafm_server1 Enter Weblogic Admin Password:
Managed Server for Forms web  Services	$admanagedsrvctl.sh start forms-c4ws_server1 Enter Weblogic Admin Password:
Concurrent Manager Service	$adcmctl.sh start apps/apps
Fullfillment Serer Services	$jtffmctl.sh start

Changing weblogic password in EBS R12.2

Following steps used to change Oracle WebLogic User Password in EBS R12.2.
Make sure EBSapps.env executed for run file system

1. Shut down all application tier services.
$ $ADMIN_SCRIPTS_HOME/adstpall.sh

2. Start Admin Server.
$ $ADMIN_SCRIPTS_HOME/adadminsrvctl.sh start

3. Please check whether the "boot.properties" file exists under $EBS_DOMAIN_HOME/servers/<server name>/data/nodemanager directory.  If yes, take a backup of the file, manually remove it.

4. Change Oracle WebLogic User password by executing below command.

perl $FND_TOP/patch/115/bin/txkUpdateEBSDomain.pl -action=updateAdminPassword

Make sure the above command completes successfully.

5. Try logging in to WLS Admin console with the new password to confirm the password change.

6. Start all application tier services:
$ $ADMIN_SCRIPTS_HOME/adstrtal.sh

Doc ID 2178617.1

Customizing the WebLogic JVM heap size

How to customize Java Virtual Machine Settings in Oracle WebLogic Server

To achieve the best performance of the application and avoid performance bottlenecks problems ( “OutOfMemory”) you need to tune your Java Virtual Machine.
After fresh install of WebLogic Server and create a Domain (WebLogic or SOA or Forms or OBIEE etc.) you may set some properties such as Java “Heap size”, tune Java “Garbage Collection” and WebLogic Server start options.
Tune JVM settings
set the Variable USER_MEM_ARGS for the Admin Server and each Managed Server to tune the JVM Parameters. For Example:

USER_MEM_ARGS="-Xms1g -Xmx3g -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:NewSize=1g"

Where:

• Xms1g: JVM initial heap size: In this example: 1 GB
• Xmx3g: JVM maximal heap size: The heap can grow to 3 GB
• -XX:+UseParNewGC: Uses parallel version of a younger generation

You can change the default JVM heap size to fit the needs of your deployment.

The default JVM heap size for WebLogic is 3GB. The size is set in the setDomainEnv.sh file for Linux or setDomainEnv.cmd for Windows, which is in the $DOMAIN_HOME/bin directory. The heap size is set with the -Xmx option.

To change the WebLogic JVM heap size:

1. Open the setDomainEnv file in a text editor.
2. Search for this comment line:
   For Linux:
   

   # IF USER_MEM_ARGS the environment variable is set, use it to override ALL MEM_ARGS values

   For Windows:
   

   @REM IF USER_MEM_ARGS the environment variable is set, use it to override ALL MEM_ARGS values

3. Immediately after the comment line, add one of these lines:
   For Linux:
   

   export USER_MEM_ARGS="-Xms128m -Xmx3072m ${MEM_DEV_ARGS} ${MEM_MAX_PERM_SIZE}"

   For Windows:
   

   set USER_MEM_ARGS=-Xms128m -Xmx3072m %MEM_DEV_ARGS% %MEM_MAX_PERM_SIZE%

4. Save the file.
5. Re-start WebLogic Server.      

Fusion Middleware Administrator's Guide - Contents

Fusion Middleware Administrator's Guide - Contents