This document covers the integration of Oracle Access Manager (OAM) and

Oracle Business ntelligence Enterprise Edition Oracle B EE. OAM and Oracle
B EE are configured based on the Oracle B EE Deployment Guide (Chapter 8)
This document covers:
Oracle B EE 10g 10.1.3.2 10.1.3.4 +
Oracle Access Manager (OAM) 10.1.4.x
Note: Earlier versions of OAM (Oblix 7.x) have been known to integrate
successfully with Oracle B EE 10g. Read through the entire document before
proceeding with the steps.
The two main steps in the included document cover the general steps that are
required to successfully configure Oracle B EE and OAM.
As documented in the System Requirements and Supported Platforms (SRSP)
document Oracle B EE is certified with the products listed and supports the
standards listed for identity management and single-sign on products. Although
OAM is not explicitly documented in the SRSP it is supported as an dentity
Management Solution. Steps to integrate follow:
1. OBIEE - LDAP authentication
Create a new LDAP Server entry in the repository (rpd) for LDAP Directory to be
used where OAM users get stored using the following procedure.
a. To modify the repository for user authentication in the LDAP Directory

Open the rpd in the B Administration Tool and select Manage > Security from
the application menu.
From the Security Manager menu, choose Action > New > LDAP Server.
n the General tab, enter values for fields as shown in the following example:
Hostname = < LDAP Directory hostname>
Port number = < LDAP Directory port>
LDAP version = <LDAP 3 >
Base DN = < Base distinguished name (DN)>
Bind DN = < Distinguished name required to bind to LDAP Directory >
Bind password = < Password of bind DN>
where the Base DN field identifies the starting point of the authentication
search.
If the Bind DN and Bind password entries are blank, anonymous binding is
assumed

Return to the General tab and click on the Test Connection button to ensure the
connection to LDAP Directory server is successful.
b. Configuring the InitiaIization BIock Used for User Authentication

Create new init block
it can be named it Authentication. n the Session Variable nitialization Block
window, click on the "Edit Data Source" button. Select LDAP as the Data Source
Type from the drop-down and click the browse button and then select the LDAP
Server that was created in above step.
Select the Edit Data Target button. n the System Session Variable window,
click new and enter "USER" in the Name field. Click OK. Click OK when asked to
confirm if you want to use this name. Set the LDAP variable uid for the
USER variable.
Test the authentication by clicking on the Test button in the Session Variable
nitialization Block window.

2. Configuring BI Presentation Services to Use the Impersonator User
The steps to configure B Presentation Services to use the mpersonator user
are:

a. Creating the OracIe BI Server Impersonator User

Open the B Server repository file (.rpd) using B Administration Tool.
Select Manage > Security to display the Security Manager.
Select Action > New > User to open the User dialog box.
Enter a name and password for this user.
For example, Name = mpersonator and Password = secret.
Click OK to create the user.
Make this user a member of the group Administrators.
Double-click on the icon for the user that was created.
n the Group Membership portion of the dialog box, check the Administrators
group.

b. Creating Adding Impersonator User CredentiaIs to OracIe BI
Presentation Services CredentiaI Store

1. Open a command prompt window or command shell on the machine where B
Presentation Services has been installed.

2. Navigate to the directory OracleB/web/bin.

3. Execute the CryptoTools utility to add the impersonator user credentials to the
B Presentation Services Credential Store:
cryptotools credstore -add - infile OracleBData/web/config/credentialstore.xml
4. Supply values for the prompted parameters, as shown
C:\OracleB\web\bin>cryptotools credstore -add -
infile C:/OracleBData/web/config/credentialstore.xml
>Credential Alias: impersonation
>Credential "impersonation" already exists. Do you want to overwrite it? y/n (y) : y
>Username: mpersonator
>Password: password
>Do you want to encrypt the password? y/n (y): y
>Passphrase for encryption:password123
>Do you want to write the passphrase to the xml? y/n (n): n
>File "C:/OracleBData/web/config/credentialstore.xml" exists. Do you want to overwrite it? y/n (y)
: y
c. Configuring OracIe BI Presentation Services to Identify the CredentiaI
Store and Decryption Passphrase
1. Locate the <CredentialStore> node within the instanceconfig.xml file.

2. Specify attribute values as shown in the following example.
f the <CredentialStore> node does not exist, create this element with sub-
elements and
attributes with attribute values given in the following example.
<WebConfig>
<Servernstance>
<!-- other settings ... -->
<CredentialStore>
<CredentialStorage type="file" path="<path to credentialstore.xml>"
passphrase="<passphrase>"/>
<!-- other settings ... -->
</CredentialStore>
<!-- other settings ... -->
</Servernstance>
</WebConfig>
After the modification, CredentialStore node in instanceconfig.xml file looks as
below:
<?xml version="1.0"?>
<WebConfig>
<Servernstance>
<!-- other settings ... -->
<CredentialStore>
<CredentialStorage type="file" path="C:/OracleBData/web/config/
credentialstore.xml" passphrase="password123"/>
<!-- other settings ... -->
</CredentialStore>
<!-- other settings ... -->
</Servernstance>
</WebConfig>
d. Configuring BI Presentation Services to Operate with the OAM SoIution
1. Open instanceconfig.xml for editing. Locate the <Auth> element. f this does
not exist, create this element, sub-elements and parameters as shown in the
following example:
<!-- other settings ... -->
<Auth>
<SSO enabled="true">
<ParamList>
<!--MPERSONATE param is used to get the authenticated user's
username and is required -->
<Param name="MPERSONATE"
source="httpHeader"
namenSource="SSO_UD"/>
</ParamList>
</SSO>
2. Secure the machines that are permitted to communicate with B Presentation
Services directly.
This can be done by setting the Listener\Firewall node in instanceconfig.xml with
the list of HTTP Server or servlet container P addresses. For example:
<Listener>
<Firewall>
<Allow address="127.0.0.1"/>
<Allow address="<111.22.33.444.5"/>
</Firewall>
<!-- other settings ... -->
</Listener>

Other Notes:
1. Oracle B must be deployed behind a web server that is protected by an OAM
webgate. There have been customers that try to SSO protect Oracle B when
using the standalone OC4J--which won't work.

2. A policy must be created in OAM to protect the /analtyics URL
- This policy must have an authorization action that will set the HTTP
Header variable that you reference in the instanceconfig.xml (ie;
header variable or cookie a preferred method)

3. Get dynamic group membership working before attempting to enabIe
SSO (OAM, OSSO, or other). This could hamper the ability to login into the
system as an Administrator. This is important because you do not want to
SSO enable the system and realize the rpd "Administrator" account no longer
works. There must be a user in the LDAP that has Administrative
permissions in Oracle B before turning on SSO.

TroubIeshooting:
As with all integrations it is recommended that implementer with knowledge in
OAM and Oracle B EE participates in the configuration to handle problems that
can arise.
After setup when login is attempted the user encounters the Not Logged n
message. When SSO is disabled the user login is successful.
This can occur for several reasons and one of the more common reasons is an
httpHeader mismatch between what is being sent for SSO and what Oracle B
EE expects. f this is the case knowledge of the SSO server is very valuable.
To diagnose this scenario make a backup and then edit the
OracIeBIData/web/config/Iogconfig.xmI file with the following two tags inside
the Filters tag:
<FilterRecord writerClassGroup="File" path = "saw.httpserver.request"
information="100" warning="100" error="100" security="100"/>
<FilterRecord writerClassGroup="File" path = "saw.httpserver.response"
information="100" warning="100" error="100" security="100"/>

This tag will generate a more meaningful output. t will display what is being
received by Oracle B EE and this can be used validate the setup of Step 2:d

Summary
This note describes the security integration between Oracle B EE and Oracle
Access Manager.