Oracle Business Intelligence 11g SOA Integra3on: Antony Heljula Technical Architect

Oracle
Business Intelligence 11g

SOA Integra3on
Antony Heljula
Technical Architect
Peak Indicators Limited
Agenda
q
q
q
q
q
q
q
q
q
q
q
q
Ac#on Framework Overview

Further AF Examples
What is SOA?
What are Web Services?
OBIEE Web Services
Oracle BPEL
Web Service Standards
Oracle Web Services Manager (OWSM)
Securing Web Services
Genera#ng a Key Store
Conguring OWSM
Conguring Ac#onFrameworkCong.xml

q Ac3on Framework Overview
Analy3c Workows : Insight to Ac3on
Typical Customer Ques3ons

How do we ini)ate it?

Where do we ini)ate it?

What is the technology?

Can Oracle BI do this?
Typical CThe
ustomer
Answer!
Ques3ons

How do we ini)ate it?

Where do we ini)ate it?

What is the technology?

Can Oracle BI do this?
OBIEE 11g
Ac3on
Framework
Ac3on Framework
q
Ac#on Framework is an exci#ng new feature of OBIEE 11g that provides the facility
to invoke a wide variety of ac#ons or processes directly within the UI
This is a major enhancement, since OBIEE 10g is great for analysis but has limited
capability for performing ac#ons once your analysis is complete
OBIEE 11g Ac#on Framework enables you to:
Ac#ons can be ini#ated from:
Navigate to related Oracle BI content

Invoke opera#ons, func#ons, or processes in external systems
Analyses
Dashboard pages
Agents (iBots in 10g)
Balanced Scorecard objec#ves and ini#a#ves
KPIs
Crea3ng Ac3ons
q
Ac#ons can be created as re-usable objects:
Or you can create inline ac#ons:
If you only want to use an Ac#on once, you can dene it directly within an analysis,
dashboard page, agent, scorecard objec#ve, scorecard ini#a#ve, or KPI. These
inline ac#ons are not re-usable
Ac3ons
Types of Ac3on
q
There are various things an Ac#on can do!
Note:
When integrated with Siebel
CRM it is also possible to
Navigate to Siebel CRM
Examples
Navigate to BI Content
q
This supersedes naviga#on in OBIEE 10g:
10
Examples
Condi3ons
q
It is possible to congure Ac#on Links to appear condi#onally
e.g. View Sales Order Details only appears if there are <500 Orders
Vision Nordics has >500 orders so

it is only possible to navigate to a
summary analysis
Vision UK and Ireland has <500

orders so it is possible to navigate
to a detail analysis
11
Examples
Conrma3on
q
You can also congure Ac#on Links to request conrma#on before

invoking the ac#on:
12
Examples
On Dashboards
q
Dashboard Pages can consist of Ac#on Links and Ac#on Link Menus
13
Examples
On Dashboards: Ac3on Links
q
An Ac#on Link dashboard object will show an individual Ac#on
NOTE: The Ac#on Link can be

displayed condi#onally
14
Examples
On Dashboards: Ac3on Link Menus
q
An Ac#on Link Menu dashboard object allows you to display a menu of

mul#ple Ac#on Links:
15
Examples
On KPIs
q
KPIs can be congured with mul#ple Ac#on Links
The KPI Status can be used to determine which Ac#on Links appear
16
Examples
On Balanced Scorecards
q
Balanced Scorecards can also be congured with mul#ple Ac#on Links
The Objec#ve or KPI Status can be used to determine which Ac#on Links
appear
17
Examples
Delivers Agents
q
You can ini#ate mul#ple Ac#ons once a Delivers Agent has completed:
The Ac#ons can be ini#ated for every row returned by the Agent!
You can map the
columns returned by
the Agent to each of
the Ac#ons
parameters
18
q Further Examples
19
Example 1 : Navigate to a Web Page

q
In this example, we will demonstrate how to ini#ate an Ac#on to navigate

to a web page and run a Google search for a customer!
This #me, we will create an inline Ac#on
20
Example 2 : Invoke a Web Service

q
In this example, we will demonstrate to how to create a named Acton

that will invoke a web service directly from a Dashboard
The Ac#on will be called Adjust Sales Forecast will invoke a web service to
modify a Sales Reps forecast target:
21
Example 2 : Invoke a Web Service

Notes
q
In order to invoke a web service, you typically need the URL for its Web Service
Descrip#on Language (WSDL)
The owner of the site hos#ng the web service should be able to provide you with his
The WSDL returns an XML le providing details on all the web services that are
available, such as the opera#ons available and the parameters that need to be
passed
For example, our web service has the following WSDL:
hcp://obiee11g:7001/Adjust_Sales_Forecast-Adjust_Sales_Forecast-context-root/
Adjust_Sales_ForecastPort?WSDL
NOTE:
It is possible for the OBIEE administrator to set up a Registry containing a list of

available web services, this means you dont need to provide the WSDL URL
Segng up of this Registry will be discussed during a later topic
22
Example 3 : Invoke a Browser Script

q
In this example, a Get Direc#ons Ac#on will be used to invoke a piece of

browser script (Javascript) that will open Google Maps and show you the
direc#ons between your chosen loca#on and the customer!
23

Notes
q
The following URL can be generated to get direc#ons using Google Maps:
hcp://maps.google.co.uk/maps?&saddr={p1}&daddr={p2}
Parameters p1 and p2 can be anything such as a postcode or a set of Lang/

Long co-ordinates (in the format Lat,Long)
In our example, we will pass 3 parameters to our javascript func#on:
Your loca#on
La#tude of customer
Longitude of customer
The javascript func#on will concatenate the Lat/Long coordinates together

and pass them to Google Maps as a single parameter
24

Notes
q
There is a UserScript.js le provided on the OBIEE server in which you

must place your custom Javascript func#ons
UserScript.js is located in the following loca#on on the OBIEE server:
[bi_server1] \bi_server1\tmp\_WL_user\analy#cs_11.1.1\xxxxx\war\res\b_mozilla\ac#ons

NOTE: the [bi_server1] path is the following loca#on:

[Middleware Home]\user_projects\domains\bifounda#on_domain\servers\bi_server1
25

Notes
q
There is a special syntax for the UserScript.js le
For each Ac#on you actually provide two separate Javascript func#ons!
The 1st func#on contains the actual code:
Func#on name must

be prexed with
USERSCRIPT.
The func#on accepts a single

array of input parameters
USERSCRIPT.getdirections = function(params)
{
var googleURL = "http://maps.google.co.uk/maps?&saddr="
+ params.your_loc
+ "&daddr="
Your refer to input
+ params.dest_lat
parameters in the format:
+ ","
array.parameter
+ params.dest_long;
window.open(googleURL,"GetDirections");
};
26

Notes
q
The 2nd func#on is used to dene your input parameters
OBIEE uses this to automa#cally know which parameters are required
It has the following format (in this case we are dening 3 input parameters):
The func#on has the same

name as before, but has
the posrix .publish
Each parameter has 3 elements:

1) Variable name
2) Descrip#on
3) Default Value
USERSCRIPT.getdirections.publish =
{
parameters:[
new USERSCRIPT.parameter("your_loc" , "Your Location"
,""),
new USERSCRIPT.parameter("dest_lat" , "Latitude Destination" ,""),
new USERSCRIPT.parameter("dest_long", "Longitude Destination",""),
]
};
27
q What is SOA?
28
Service Oriented Architectures

Many Success Stories
q
If you read any IT paper or look at OTN, you will be hit with many success
stories about SOA:
.... savings of between 50%

and 75% will now be
achieved
....We achieved speed-to-market

gains of more than 50%
.... Over >me SOA will shorten

>me-to-market and reduce opera>ng
expenditure
.... driving greater exibility,

end-to-end integra>on and informed
decision making
.... 75% reduc>on in >me to

market for new services
.... The solu>on has lowered costs for

processing new customers
.... SOA will provide greater exibility
around our technology systems
.... We are roughly

twice as fast to market
29
What is SOA?
q
Despite all the success stories, there s#ll remains a lot of confusion
about what exactly SOA is
One problem is that SOA is an architecture, so it is not necessarily

something which is easy to demonstrate or explain
Another problem is the amount of jargon there are so many standards

and technologies involved it is dicult to know where to begin
Oracle SOA Suite 11g comprises of no less than 15 products!
30
What is SOA?
q
A Service Oriented Architecture (SOA) is an enterprise architecture

consis#ng of modular web based services that can be easily integrated
and reused, crea#ng a truly exible and adaptable IT infrastructure
Each service serves as a building block forming an architecture that

supports mul#ple connected enterprise applica#ons working together to
provide streamlined solu#ons to business problems
31
What is SOA?
q
Behind the scenes, a SOA implementa#on can consist of a combina#on of

technologies, products and support infrastructure elements
However, the key factor is that they all integrate via a common set of standards
how each building block is implemented at the back end is irrelevant

CRM
Intranet /
Internet
Order Processing
Consumer
HR
Business Intelligence
32
What is SOA?
q
In a SOA implementa#on typically:
Communica#on will be performed over HTTP / HTTPS

Messages are delivered in XML format
Business func#ons/processes are presented as Web Services

CRM
h]p
h]p
Intranet /
Internet
h]p
- Create Account
- Create Service Request

Order Processing
- Create Order
- Bill Customer
h]p
Consumer
HR
Business Intelligence
- New Employee
- Holiday Request
- Distribute Performance Report

- Ini)ate Alert
33
What is SOA?
Ac3on Framework Ac3ons
q
q
Have you no#ced that all Ac#ons available with Ac#on Framework are
based on HTTP?
Ac#on Framework puts OBIEE 11g at the heart of a SOA implementa#on
34
q What are Web Services?
35

q
q
q
Web services are programs that can be access remotely using XML-based
languages
What each program can do is described in a standard XML format called
Web Services Descrip#on Language (WSDL)
The consumer does not need to know how the program is implemented and
is only interested in what the program can do (as dened in the WSDL)
Intranet /
Internet
Web Service Provider

WSDL
Consumer
36

q
q
q
The Consumer sends a request in the form of a Simple Object Access

Protocol (SOAP) message (SOAP is an XML messaging framework designed
to allow heterogeneous applica#ons to exchange structured informa#on)
The web service provider processes the request and returns the response in
XML format
The Web service provider may require some form of creden#als to be
passed across, messaging may be encrypted
SOAP
+
Creden3als
Intranet /
Internet
XML
Response
Web Service Provider

WSDL
Consumer
37
Ques3on
q Ques3on:
How do you build a Web Service?
q Answer:
You dont need to know!

Products such as Oracle
JDeveloper build and deploy
web services for you!
38
Demonstra3on
Building a Web Service
q
We shall now demonstrate how to build a PL/SQL web service using Oracle
JDeveloper
Jdeveloper has a wizard to quickly enable you to present a PL/SQL package as a

web service
In our example, the PL/SQL package will be used to update a Sales Forecast
amount for a Sales Rep
The PL/SQL package procedure

pr_update_forecast accepts
6 parameters
39
Demonstra3on
Building a Web Service
q
The aim will be to execute the PL/SQL web service within OBIEE using an
Ac#on Link!
40
q OBI EE Web Services
41
OBIEE Web Services

q
OBIEE 11g comes equipped with a wide range of web services
There are two dierent types:
Session based web services

Web services for SOA

(new with OBIEE 11g)
Refer to the OBIEE 11g Integrators Guide for detailed informa#on:
hcp://download.oracle.com/docs/cd/E14571_01/bi.1111/e16364/toc.htm
42
Session Based OBIEE Web Services

q
There are a variety of OBIEE session based web services are available:
HtmlViewService
iBotService
MetadataService
Replica#onService
ReportEdi#ngService
SAWSessionService
SecurityService
WebCatalogService
XMLViewService
- obtain HTML to render BI dashboards/reports

- ini#ate iBots
- Retrieve info on Subject Areas, Tables, Columns
- Replica#on between Presenta#on Catalogues
- Add lter and other condi#ons to BI requests
- Login, Logo, Impersonate authen#ca#on func#ons
- Iden#fy BI EE accounts and privileges
- Browsing and Managing the Presenta#on Catalogue
- Retrieve Oracle BI query results in XML format
Each of these web services contain one or more methods
They are referred to as session based because you have to establish a session
with OBIEE rst before you can use them (you need to pass in a valid Session Id)
The Web Service Deni#on Language (WSDL) format for Oracle BI web services can
be obtained using the following example URL:
hcp://localhost:9704/analy#cs/saw.dll?WSDL
43

XML Results
q
When returning results in XML format, the structure is as follows:
It is also possible to specify a parameter to return the meta-data for each

column of data returned e.g. name, data format, length etc
44

Encapsula3ng into Workows
q
To sa#sfy a par#cular requirement, normally a number of BI EE web

services will have to be called in sequence e.g.
This means you have to programma#cally call the web services one a{er
the other
Log in / Authen#cate
(SAWSessionService)
Obtain results in XML format (XMLViewService)
Log o

(SAWSessionService)
You log in to obtain the Session Id

You call the next web service and pass the Session Id in as a parameter
You call the next web service
These session based web services are therefore not too compa#ble with
Ac#on Framework on their own
Ac#on Framework ini#ates individual Ac#ons with no connec#on between

them
45

Encapsula3ng into Workows
q
It could be advisable therefore to encapsulate the sequence into a

BPEL workow:
The BPEL workow will itself then be presented as a web service
BPEL workow will orchestrate the ini#a#on of the BI EE web services
Ac#on Framework can then ini#ate this single Ac#on
This is where Oracle BPEL and SOA Suite come into play....we will
discuss more about this later.
46
OBIEE Web Services for SOA

q
OBIEE Web Services for SOA are quite dierent to the Session Based
web services. There are three ac#ons available:
You dont need to pass in a valid Session Id to use them
Execute Agent
Execute Condi#on
Execute Analysis
They are s#ll secured using a username/password in the creden#al store
Prompted lters and presenta#on variables included in the business

intelligence objects are supported
For example: if your Analysis has 3 Is Prompted lters then you can pass
values in for these at run-#me
Only XML results are returned
47

WSIL..not WSDL
q
Instead of being provided with a WSDL URL, you are in fact provided with a WSIL
(Web Service Inspec#on Language) URL:
hcp://localhost:9704/biservices/inspec#on?wsil
This allows OBIEE to dynamically build up the set of web services available based
upon the objects in the BI Presenta#on Catalogue. If you open up the WSIL URL in
a browser, you can see that you are able to browse through the catalogue
structure and youll nd a web service for each Analysis, Condi#on and Agent!
48

Example
q
Consider this example where we have an Agent called Sales History Agent
We want to use Ac#on Framework to invoke it
49

Create Ac3on : Invoke a Web Service
q
q
Create a new Ac#on of type Invoke a Web Service

You can then browse through the catalog and invoke the web service
associated with your Agent!
The path to our Agent is:

/shared/Agents/Sales History Agent
Here is the web service
associated with the Agent
50

Congure Parameters
q
There are two parameters to congure, you can leave them Op#onal:
Session Country
Session Language
51

Execute the Ac3on!
q
Execute the Ac#on and see the Alerts! link appear:
52

Congura3on
q
There is some congura#on required in order to use OBIEE Web Services

for SOA
Firstly, you have to congure the FMW creden#al store with the
username/password that will be used to browse the web services
available
This account will always be used for browsing the web services, so users can
only execute Ac#ons on objects stored in Shared folders
Secondly we will congure the Ac#onFrameworkCong.xml le with

details such as:
The WSIL URL to use for browsing the web services

The authen#ca#on policy to determine what creden#als etc are required to
invoke the web services
53

Congura3on : Step 1
q
Open up Enterprise Manager and navigate to:
WebLogic Domain > bifounda#on_domain
Then choose the menu op#on Security > Credentails
54

Congura3on : Step 2
q
Within the oracle.bi.enterprise map, create a new creden#al key:
Key:

Username:
Password:
wsil.browsing
weblogic
welcome1
} for example
}
55

Congura3on : Step 3
q
Create a new le called wss_username_token_policy.xml and paste in

the following contents:
<?xml version="1.0" encoding="UTF-8"?>
<oracle-webservice-clients>
<webservice-client>
<port-info>
<policy-references>
<policy-reference uri="oracle/log_policy" category="management"/>
<policy-reference uri="oracle/wss_username_token_client_policy" category="security"/>
</policy-references>
</port-info>
</webservice-client>
</oracle-webservice-clients>
Save the le in the following loca#on:
[Middleware Home]\user_projects\domains\bifounda#on_domain\cong\fmwcong\biinstances\coreapplica#on
56

Congura3on : Step 4
q
Within the same folder, open up the Ac#onFrameworkCong.xml le for

edi#ng
Congure the <Registries> tags to contain the following registry:
You should ensure the ?WSIL path is correct

<registries>
<registry>
<id>WS4SOA</id>
<name>OBIEE Web Services for SOA</name>
<content-type>webservices</content-type>
<provider-class>oracle.bi.action.registry.wsil.WSILRegistry</provider-class>
<description></description>
<location>
<path>http://localhost:9704/biservices/inspection?wsil</path>
</location>
<service-access>
<account>wsil.browsing</account>
<policy>wss_username_token_policy</policy>
<propagateIdentity>false</propagateIdentity>
</service-access>
</registry>
</registries>
57

Congura3on : Step 5
q
Then congure the <Accounts> and <Policies> tags to contain the

following congura#on
You should not need to edit anything

<accounts>
<account>
<name>wsil.browsing</name>
<description>Account for BI WS for SOA</description>
<adminonly>false</adminonly>
<credentialkey>wsil.browsing</credentialkey>
<credentialmap>oracle.bi.enterprise</credentialmap>
</account>
</accounts>
<policies>
<policy>
<name>wss_username_token_policy</name>
<policyfile>wss_username_token_policy.xml</policyfile>
</policy>
</policies>
58

Congura3on : Step 6
q
Save the Ac#onFrameworkCong.xml le
Restart the following processes:
BI Presenta#on Services
Weblogic managed server bi_server1
59

Congura3on : Step 7
q
Test! You should now be able to create an Ac#on and see that the web
services are automa#cally available for you to choose and execute:
60

Important Note!
q
Without further congura#on, all the Web Services for SOA will be
invoked as the same wsil.browsing account
Everyone has the same visibility of the common Shared Folders area
Everyone has the same visibility of the users own My Folders area
Common data visibility for all users
However, with further congura#on it is possible to secure the web

services to run as the user who is invoking the web service rather than the
common wsil.browsing account
We will be dealing with securing web services in a later topic.
61
q Oracle BPEL
62
Oracle BPEL
q
Oracle BPEL Process Manager is a component of Oracle SOA Suite
BPEL enables you to build workows that orchestrate synchronous and

asynchronous business processes
63
Oracle BPEL
q
BPEL is designed to sit in the middle of your enterprise, coordina#ng and sequencing
the interac#ons between various external services (known as partner links) to form
single workows that deliver end-to-end business processes
You can integrate mul#ple technology adapters and services within each workow,
such as human tasks, transforma#ons, no#ca#ons, and business rules
64
Oracle BPEL
Integra3ng with OBIEE
BPEL is the probably the most

eec#ve tool when it comes to
integra#on with the session based
OBIEE web services
It enables you to build a single

workow that calls the various OBIEE
web services in the appropriate
sequence
You can the deploy the workow as

a single web service which can be
centrally secured and monitored
65
Oracle BPEL
Integra3ng with OBIEE
q
In this example, a BPEL workow is

calling 3 OBIEE web services in
sequence:
Session Logon
Invoke Agent
Session Logo
66
Oracle BPEL
Advantages of BPEL
Ability to encapsulate mul#ple BI EE web service calls into a single workow
Fast/simple development
Fast/simple deployment
Less client-side javascript (less worrying about IE / Mozilla support)
Centralised processing, so less client-server communica#on
Easy to support / de-bug (debugging someone elses custom java code is not easy!)
BPEL designer part of JDeveloper
Process monitoring/performance via BPEL Control
Standardised development (whereas everyones custom code is dierent)
Easy to orchestrate web-services and other processes/ac#ons
Good star#ng point for con#nued SOA expansion
Dening XSD schemas using a GUI tool dont need knowledge of XML schema language
67
Oracle BPEL
Synchronous vs Asynchronous
q
A Synchronous BPEL Workow is typically used for short-running processes where results
can be returned almost immediately back to the invoking client (the client will wait un#l the
results have been returned)
Asynchronous BPEL Workows are very useful for environments in which a process, such
as one that involves manual interven#on, can take a long #me to process a client request.
The invoking client does not wait for a response, instead the workow will use a callback to
return the results, if any, to the client at a later date/#me
Asynchronous services provide a more reliable fault-tolerant and scalable architecture than
synchronous services
(storing the process in a database preserves the process and prevents any loss of state or
reliability if a system shuts down or a network problem occurs. This feature increases both
BPEL process reliability and scalability. You can also use it to support clustering and failover)
68
Oracle BPEL
Invoking Client
q
q
q
Each BPEL process is invoked by a client, this could be someone invoking

the process manually or part of a scheduled task
The process will accept some input parameters and return a set of output
A GUI tool allows you to design the input and output structures
We are accep#ng two

input parameters:
Username
Agent
There is only one

output parameters
69
Oracle BPEL
Invoking a Partner Link (e.g. Web Service)
q
Within a BPEL workow, you typically use 3 objects to invoke an external service:
A Partner Link
An Invoke ac#vity
An Assign Ac#vity
: Denes the external link e.g. a WSDL URL

: Denes the process to ini#ate and the input/outpu
: To assign the input parameters to the Invoke ac#vity
In this case, the input

parameters to our loginOBIEE
partner link will be:
Username
Password

These can be passed in from the
client invoking the BPEL process
70
Oracle BPEL
Error Handling
q
In the event of an error, a CatchAll ac#vity will be direct the workow

down another path of ac#ons
In this case, the CatchAll is

wai#ng for any errors that might
occur during the login process
71
Oracle BPEL
Loops
q
You also have Ac#vi#es that enable you to

perform loops:
While
Repeat Un#l
For Each
For example:
For each record returned in an XML results

set: insert the record into the database
72
Oracle BPEL
Deployment
q
Once your workow is complete, you can deploy it automa#cally to your

applica#on server
The applica#on server should be running SOA Suite
73
Oracle BPEL
Enterprise Manager
q
Once deployed, you use Enterprise Manager to monitor and test your
BPEL process:
74
Oracle BPEL
Tes3ng
q
You can test your BPEL process from Enterprise Manager (by ini#a#ng the
web service for the BPEL process):
Note the two input

parameters dened
75
Oracle BPEL
Support/Monitoring
q
You can track, monitor and diagnose issues directly within Enterprise
Manager:
76
q Web Service Standards
77
Web Service Standards

q
There are two types of web service supported by Weblogic:
JAX-WS: Java API for XML-based Web Services 2.1

JAX-RPC: Java API for XML-Based RPC 1.1
Because JAX-WS is the successor to the JAX-RPC and it implements many

of the new features in Java EE 5, Oracle recommends that you develop
Web services with JAX-WS
JAX-RPC is considered legacy and the specica#on is no longer evolving
78
q Oracle Web Services Manager (OWSM)
79

q
OWSM is the Oracle Fusion Middleware component responsible for the centralised
management and security of web services across your enterprise
It is embedded within FMW Control (Enterprise Manager)

WebLogic is automa#cally congured to serve as an OWSM Agent
OWSM also
manages OBIEE
web services
80

Purpose
q
OWSM has three main purposes:
Centralised point to apply policies to your web services
To serve as a web service registry
Policies are security rules. For example, you could lock down a web service so that
all messaging must come from a trusted source and the user needs to supply both
a username and password (or some form of SSO token)
When you have web services doced everywhere, OWSM can serve as a gateway so
that all your web services can be discoverable in a single loca#on
Centralised monitoring
81

Support for JAX-WS/RPC
q
Oracle Fusion Middleware 11g currently only supports the use of JAX-WS
services
This means JAX-RPC web services cannot be administered in Oracle Enterprise

Manager
WebLogic however does s#ll support JAX-RPC web services
Therefore, if you have JAX-RPC web services then you have to manage them
within WebLogic Console
82

Web Services Menu
q
OWSM func#ons can be access via the main menu for your WebLogic
domain
83

Registering Services
q
You can use the Registered Services congura#on screen to register all
your web services, so that they can be referenced in a single place
84

Monitoring
q
Clicking on a WebLogic server will display various performance/usage

metrics:
85
q Securing Web Services
86

q
The securing of web services is obviously a very important topic
If youre not careful, by default your custom web services will have no security so anyone
can invoke them from anywhere!
You can secure web services within OWSM or within WebLogic. You secure a web
service by assigning one or more WS Policies
In the example below, the ExecuteAgent web service has a security policy which
enforces authen#ca#on using a username and password (Token):
87

Policies
q
There are two types of policy that can be acached to web services:
Oracle Web Services Manager (WSM) Policy
WebLogic Web Service Policy
Policy provided by the OWSM

You can only acach OWSM security policies to JAX-WS Web services
You manage OWSM policies from with Oracle Enterprise Manager Fusion
Middleware Control
Policy provided by WebLogic Server

A subset of WebLogic Web service policies interoperate with Oracle WSM policies
You manage WebLogic Web service policies from the WebLogic Admin Console
NOTE:
It is recommended that you use OWSM policies over WebLogic policies

whenever possible. You cannot mix your use of Oracle WSM and WebLogic
Web service policies on the same web service
88

Predened Policies
q
OWSM and WebLogic come with many predened policies! The one to
use largely depends on the customers needs:
As a general rule though you can simply consider the policies men#oned
on the previous slides
89

Username / Password (Token)
q
By default, all the OBIEE Web Services for SOA are congured with a policy that
requires a valid Username / Password creden#als to be passed through:
The creden#als are checked against whatever Iden#ty Provider(s) is congured in

WebLogic (by default, it will be its own embedded LDAP store)
In the case of OBIEE 11g, the creden#als passed are stored in the Creden#al Store
administered within Enterprise Manager (WebLogic Domain > Security > Creden#als):
90

Username / Password (Token)
q
Although the policy wss_username_token_service_policy secures

authen#ca#on, it does not cover all security aspects:
Conden3ality:
There is no use of public/private keys so the messages are not encrypted (usernames/
passwords are not even encrypted)
Integrity:
The messages are not digitally signed, so you cannot guarantee the authen#city of the
messages

NOTE: a private key is actually used to digitally sign messages
91

Username / Password (Token) with Message
Protec3on
q
OWSM provides another policy wss_username_token_with

message_protec#on_service_policy:
This security policy is much more secure:
The downside is that you always have to supply a password!
Username/password creden#als must be supplied

XML Messages are encrypted using public/private key
XML Messages are digitally signed using the private key
You can use the Creden#al Store for this purpose, but it means you are always
passing over the same creden#als no macer which user is invoking the service
92

SAML Token with Message Protec3on
q
OWSM provides alterna#ve policy wss11_saml_token_with

Instead of requiring a password, the client passes over a cer#cate which is then veried
by the server (the server has a key store containing all the valid cer#cates)
This security policy is also very secure:
Only clients with a trusted cer#cate are allowed

The benet is that the username of the invoking user is propagated, so this policy supports
the need for a service to run as dierent users. The downside is that the server has to
trust that the user is valid. This method is commonly used by partners who need to
integrate across the web and can trust each other
NOTE: The propagated user must have an entry in the recipients LDAP store
93

X509 Token with Message Protec3on
q
OWSM provides alterna#ve policy wss11_saml_token_with

Instead of requiring a password, an X.509 cer#cate is passed over to the server to verify
that the user has been authen#cated and can be trusted (X.509 is commonly used in SSO
applica#ons)
This security policy is also very secure:
Only clients with a valid X.509 cer#cate allowed

The username of the invoking user is propagated, so this policy supports the need for a
service to run as dierent users. X.509 is a stronger and more secure form of SSO
compared to SAML. Each user has a cer#cate which is #ed to an individual entry in the
companys LDAP store
94
q Genera3ng a Key Store
95
Genera3ng a Key Store

q
Oracle Fusion Middleware makes use of a key store to contain:
A Private/public key pair

A Cer#cate
The Cer#cates of other trusted sites (for SAML policies)
The key store should reside in the following folder:
[Middleware Home]\user_projects\domains\[domain]\cong\fmwcong
By default, the key store has the lename default-keystore.jks
NOTE: Cer#cates store informa#on such as Organiza#on Name, Country etc
For produc#on use it is recommended to only use cer#cates issued by a

Cer#cate Authority (CA) such as Verisign
It is possible though to generate cer#cates for development/test use
96

Public/Private Keys
q
You need to generate a key store when whenever you have policies that
involve message protec#on.
Separate key stores should be created on both client and server machines
When the web service is invoked, the public keys are exchanged between
client and server
The client/server should have dierent public/private keys and cer#cates
The client will then encrypt messages using the servers public key and vice versa
Only the receiver who has the corresponding private key can decrypt the message
To ensure authen#city, the both sides will also add a digital signature to their
messages:
The sender creates a digital signature by producing a hashed copy of the

message and then encryp#ng it using the senders private key
The recipient can use the senders public key to decrypt the hashed copy and
verify the authen#city of the sender (as only the sender has the private key that
could have generated the hashed copy)
97

Message Protec3on and SAML Asser3on
q
For policies involving Message Protec#on and/or SAML asser#on:
The servers key store will need to contain the cer#cates from all the
trusted client machines
The key store on each client machine will need to contain the servers
cer#cate
So you have to perform the following process on all client and server
machines
Generate a new key store containing a private/public key pair and a cer#cate
Export your cer#cate
Send your cer#cate (securely!) to the other server
Import your cer#cate into the other servers key store
98

Commands Generate Keys
q
Use the following commands to generate a default key store le

containing a public/private key pair and a cer#cate:
keytool -genkeypair -keyalg RSA -alias orakey -keypass [passpword] -keystore

default-keystore.jks -storepass [password] -validity 3600
You will be prompted for the following
What is your rst and last name?

What is the name of your organiza#onal unit?
What is the name of your organiza#on?
Oracle What is the name of your City or Locality?
What is the name of your State or Province?
What is the two-lecer country code for this unit?
99

Commands List Key Store Contents
q
You can list the contents of your key store by using the following
command:
keytool -list -v -keystore default-keystore.jks
NOTES:
You will be prompted for your key store password
100

Commands Export Cer3cate
q
If you need to send your cer#cate to the server (e.g. SAML) then you
should export your cer#cate using the following command:
keytool -exportcert -v -alias orakey -keystore default-keystore.jks -storepass

[password]
NOTES:
This will create a le in the format [alias].cer
101

Commands Import Cer3cate
q
To import your client cer#cate into another servers key store you can
use the following command:
Keytool -import -alias [client_alias] -le [cer#cate le] -keystore default-

keystore.jks
NOTES:
You will be asked to enter the key store passowrd

You will need to conrm that you agree that this is a trusted cer#cate that you are
impor#ng
102

Commands Import Cer3cate
q
Once you have imported your cer#cate you can do a keystore list
command to list the contents of your key store, which should contain your
own key entry and cer#cate as well as your trusted cer#cates:
Your own key

entry and
cer#cate
Cer#cate from
trusted source
103
q Conguring OWSM
104
Conguring OWSM
Security Provider Congura3on
q
Whenever you generate a new key store you will need to congure FMW
Control with the alias and passwords that you used (youll have to do this
on all servers)
Within Enterprise Manager, expand your WebLogic domain and choose

the following from the menu:
WebLogic Domain > Security > Security Provider Congura#on
105
Conguring OWSM
Security Provider Congura3on
q
Click on the Key Store > Congure bucon:
Enter the alias (typically orakey) and then the Signature and Crypt
key store passwords (e.g. welcome1) that were specied wen genera#ng
the key store:
106
q Conguring
Ac3onFrameworkCong.xml
107
Conguring Ac3onFrameworkCong.xml
q
Whenever you want OBIEE to invoke secured web services, you have to
congure OBIEE as follows:
The congura#on le is Ac#onFrameworkCong.xml which is located in

the following folder:
Register the web services

Specify the policies
Specify account details
[Middleware_Home]\user_projects\domains\[Domain]\cong\fmwcong
\biinstances\coreapplica#on
Whenever you make changes to Ac#onFrameworkCong.xml you need to

restart:
The OBIEE managed server (bi_server1)

BI Presenta#on Services
108
<aliases>
q
First of all, you can specify a list of Aliases within the <aliases> sec#on
To facilitate deployment and release processes, these Aliases mean you dont
have to hard code server names/IP addresses in your system. Instead you
can refer to server aliases, which OBIEE will translate at run-#me into youre
their actual server names:
<aliases>
<location-alias>
<alias>obiee11g</alias>
<actual>obiee11g-prod</actual>
</location-alias>
<location-alias>
<alias>soasuite</alias>
<actual>soasuite-prod</actual>
</location-alias>
</aliases>
109
<accounts>
q
For any username/password policies, you will need to list a number of account
creden#als in the <accounts> sec#on:
<accounts>
<account>
<name>wsil.browsing</name>
<description>Account for BI WS for SOA</description>
<adminonly>false</adminonly>
<credentialkey>wsil.browsing</credentialkey>
<credentialmap>oracle.bi.enterprise</credentialmap>
</account>
</accounts>
qNOTES:
The <name> element will be used as a reference elsewhere in the le
The <creden#alkey> and <creden#almap> elements must refer to a creden#al key in the
FMW Creden#al Store (WebLogic Domain > Security > Creden#als)
110
<policies>
q
You should list all the dierent types of policies that are in use within the <policies>
sec#on
<policies>
<policy>
<name>SAMLPolicy</name>
<policyfile>ActionsSAMLPolicy.xml</policyfile>
</policy>
<policy>
<name>wss_username_token_policy</name>
<policyfile>wss_username_token_policy.xml</policyfile>
</policy>
<policy>
<name>wss_username_token_message_protection_policy</name>
<policyfile>wss_username_token_message_protection_policy.xml</policyfile>
</policy>
</policies>
qNOTES:
The <name> element will be used as a reference elsewhere in the le
Each policy will have its own .xml le separately created, the name of the le should be within
the <policyle> element (we will do this next)
111
Create Policy Files
q
Create a separate .xml le for each <policyle> entry referenced in the

<policies> sec#on:
<?xml version="1.0" encoding="UTF-8"?>
<oracle-webservice-clients>
<webservice-client>
<port-info>
<policy-references>
<policy-reference uri="oracle/log_policy" category="management"/>
<policy-reference uri="oracle/wss_username_token_client_policy" category="security"/>
</policy-references>
</port-info>
Name of
</webservice-client>
client policy
</oracle-webservice-clients>
IMPORTANT NOTE:
This le should contain the client policy. So if your policy is

wss_username_token_service_policy then in this le you should state
wss_username_token_client_policy
112
<registries> : Example 1
q
The <registries> sec#on should list all the web services that you wish the OBIEE
end users to use:
Only WSIL URLs are supported in the <registry> sec#on
This example is for a simple username/password policy:

<registries>
<registry>
<id>WS4SOA</id>
<location>
</location>
<service-access>
Maps to a creden#al
<policy>wss_username_token_policy</policy>
store key and policy
</service-access>
</registry>
</registries>
113
q
This example is for a username/password policy with message protec#on

<registries>
<registry>
<id>WS4SOA</id>
<location>
</location>
<service-access>
<policy>wss_username_token_message_protection_policy</policy>
</service-access>
</registry>
</registries>
114
q
This example is for a SAML policy with message protec#on:

q
<propagateIden#ty> is set to true as we will want to propagate the invokers username

instead of using a xed creden#al from the creden#al store

<registries>
<registry>
<id>WS4SOA</id>
<name>OBIEE Web Services for SOA (SAML)</name>
<location>
</location>
<service-access>
<policy>SAMLPolicy</policy>
<propagateIdentity>true</propagateIdentity>
</service-access>
</registry>
</registries>
As SAML is based on trusted

cer#cates, we wont need to
provide a password for
authen#ca#on. So we dont specify
a creden#al store account her

115
q Ques3ons?
Helping Your Business Intelligence Journey

Oracle Business Intelligence 11g SOA Integra3on: Antony Heljula Technical Architect

Uploaded by

Copyright:

Available Formats

You might also like

Oracle Business Intelligence 11g SOA Integra3on: Antony Heljula Technical Architect

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Oracle Business Intelligence 11g SOA Integra3on: Antony Heljula Technical Architect

Uploaded by

Copyright:

Available Formats

Oracle

Business Intelligence 11g

Ac#on Framework Overview

q Ac3on Framework Overview

Peak Indicators Limited

Analy3c Workows : Insight to Ac3on

Peak Indicators Limited

Analy3c Workows : Insight to Ac3on

Typical Customer Ques3ons

Peak Indicators Limited

Analy3c Workows : Insight to Ac3on

Peak Indicators Limited

OBIEE 11g Ac#on Framework enables you to:

Ac#ons can be ini#ated from:

Navigate to related Oracle BI content

Peak Indicators Limited

Ac#ons can be created as re-usable objects:

Or you can create inline ac#ons:

Peak Indicators Limited

There are various things an Ac#on can do!

Peak Indicators Limited

This supersedes naviga#on in OBIEE 10g:

Peak Indicators Limited

It is possible to congure Ac#on Links to appear condi#onally

Vision Nordics has >500 orders so

Vision UK and Ireland has <500

Peak Indicators Limited

You can also congure Ac#on Links to request conrma#on before

Peak Indicators Limited

Peak Indicators Limited

An Ac#on Link dashboard object will show an individual Ac#on

NOTE: The Ac#on Link can be

Peak Indicators Limited

An Ac#on Link Menu dashboard object allows you to display a menu of

Peak Indicators Limited

KPIs can be congured with mul#ple Ac#on Links

Peak Indicators Limited

Balanced Scorecards can also be congured with mul#ple Ac#on Links

Peak Indicators Limited

Peak Indicators Limited

Peak Indicators Limited

Example 1 : Navigate to a Web Page

In this example, we will demonstrate how to ini#ate an Ac#on to navigate

This #me, we will create an inline Ac#on

Peak Indicators Limited

Example 2 : Invoke a Web Service

In this example, we will demonstrate to how to create a named Acton

Peak Indicators Limited

Example 2 : Invoke a Web Service

For example, our web service has the following WSDL:

It is possible for the OBIEE administrator to set up a Registry containing a list of

Peak Indicators Limited

Example 3 : Invoke a Browser Script

In this example, a Get Direc#ons Ac#on will be used to invoke a piece of

Peak Indicators Limited

Example 3 : Invoke a Browser Script

Parameters p1 and p2 can be anything such as a postcode or a set of Lang/

In our example, we will pass 3 parameters to our javascript func#on: