Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Thursday, August 20, 2015

REFRESH GUIDS

In Oracle Business Intelligence 11g Release 1 (11.1.1), users are recognized by their global unique identifiers (GUIDs), not by their names. GUIDs are identifiers that are completely unique for a given user. Using GUIDs to identify users provides a higher level of security because it ensures that data and metadata is uniquely secured for a specific user, independent of the user name.
Wherever possible, secure access to data and metadata using application roles rather than individual users.
Refreshing GUIDs/ GUID Synchronization/ GUID regeneration
GUID refresh updates any metadata references to user GUIDs in the Oracle BI repository and Oracle BI Presentation Catalog. During the GUID refresh process, each user name is looked up in the identity store. Then, all metadata references to the GUID associated with that user name are replaced with the GUID in the identity store.
When?? If Oracle best practices are not observed and Oracle Business Intelligence repository data is migrated between systems that have different GUIDs for the same users, GUID refresh is required for the system to function. This is not a recommended practice, because it raises the risk that data and metadata secured to one user (for example, John Smith, who left the company two weeks ago) becomes accessible to another user (for example, John Smith, who joined last week). Using application roles wherever possible and using GUIDs consistently across the full development production lifecycle prevents this problem from occurring.

Refreshing User GUIDs

To refresh user GUIDs, perform the following steps on APPHOST1 and APPHOST2. Note that GUID refresh must occur with only one node operating at a time.
1.    Stop Oracle BI Server and Presentation Services on all nodes except where you are refreshing the user GUIDs. For example:
cd ORACLE_BASE/admin/instancen/bin
./opmnctl stopproc ias-component=coreapplication_obips1
./opmnctl stopproc ias-component=coreapplication_obis1
2.    Update the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS parameter in NQSConfig.INI:
Open NQSConfig.INI for editing at:
ORACLE_INSTANCE/config/OracleBIServerComponent/coreapplication_obisn
3.    Locate the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS parameter and set it to YES, as follows:
4.    FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = YES;
5.    Save and close the file.
6.    Update the Catalog element in the instanceconfig.xml file:
Open instanceconfig.xml for editing at:
ORACLE_INSTANCE/config/OracleBIPresentationServicesComponent/coreapplication_obipsn
Locate the Catalog element and update it as follows:
<Catalog>
<UpgradeAndExit>false</UpgradeAndExit>
<UpdateAccountGUIDs>UpdateAndExit</UpdateAccountGUIDs>
</Catalog>
Save and close the file.
7.    On the node where you are refreshing the GUIDs, start the Oracle BI Server and Presentation Services using opmnctl:
cd ORACLE_BASE/admin/instancen/bin
./opmnctl startproc ias-component=coreapplication_obis1
8.     After you confirm that the Oracle BI Server is running, then start Presentation Services:
./opmnctl startproc ias-component=coreapplication_obips1
9.    Set the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS parameter in NQSConfig.INI back to NO.
Important: You must perform this step to ensure that your system is secure.
10.    Update the Catalog element in instanceconfig.xml to remove the UpdateAccount GUIDs entry.
11.    Restart the Oracle Business Intelligence system components using opmnctl:
cd ORACLE_BASE/admin/instancen/bin
./opmnctl stopall
./opmnctl startall
Posted by at No comments:
Labels: , , , , ,

IMPLEMENTING SSL IN OBIEE 11G

Follow the below steps to enable HTTPS secure connection in the OBIEE 11g URL:
1. Login to the Weblogic Console with the Admin credentials.
2. Navigate to the path: Environment > Servers.
SSL1
3. Click on the AdminServer(admin) and open the General tab under Configuration.
4. Lock and Edit the configuration.
5. Check the box for ‘SSL Listen Port Enabled’ and enter the value for ‘SSL Listen Port’ as 7002.
SSL2
Note: We can uncheck the ‘Listen Port Enabled’ checkbox if we do not want anyone to be able to connect to the Console and EM via HTTP.
6. Go back to the Servers and navigate to the bi_server1. Open the General tab under Configuration.
7. Check the box for ‘SSL Listen Port Enabled’ and enter the value for ‘SSL Listen Port’ as 443.
SSL3
Note: We can uncheck the ‘Listen Port Enabled’ checkbox if we do not want anyone to be able to connect to the application via HTTP.
8. Activate the Changes and restart all the services.
9. Now the services should be available over a secure HTTPS connection. The URL to the Weblogic Console and EM will be as follows:
https://machineName:7002/console
https://machineName:7002/em
and the new application URL will be:
https://machineName/analytics
The port number 443 can also be written in the application URL, but it will be automatically hidden once we connect to the URL.
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)