News ed Eventi

Alcuni clienti

Ducati Motor Holding
Ducati Motor Holding nasce a Bologna nel 1926 ed è oggi un rappresentante del Made in Italy in tutto il mondo.
 
Regione Emilia Romagna
La Regione Emilia Romagna è un’organizzazione ampia, articolata ed eterogenea con diversi livelli decisionali e forte varietà delle materie di competenza.
 
Gruppo Marazzi

Marazzi Group, è il leader mondiale nel design, produzione e commercializzazione di piastrelle ceramiche con una presenza crescente negli altri materiali da rivestimento e negli articoli sanitari.

 
Sky

SKY, la pay tv digitale italiana, è nata il 31 Luglio 2003 da un'idea molto semplice: proporre ai telespettatori italiani i migliori contenuti televisivi nazionali ed internazionali.

 
AGREA
AGREA fa parte degli Organismi Pagatori Regionali con competenza in materia di erogazione di aiuti, contributi e premi a favore degli operatori agricoli di vari settori.
 
Configure OBIEE 11.1.1.5 SSO with Active Directory/Windows Authentication
To configure OBIEE 11.1.1.5 to use the Windows Native Authentication in SSO environment you must follow the Oracle Technote “Configuring authentication and SSO with Active Directory and Windows Native Authentication in Oracle Business Intelligence Enterprise Edition”,except for the following steps:
  • You must use the JRockit 1.6 instead of the standard JDK 1.6
  • When you create the Keytab File, you must use KTPASS command line (like Linux) setting Key Version Number (kvno option) to 0. For Windows Server 2003 the ktpass command is in the Windows Server 2003 Support Tools.
  • Redeploy the application Analyticts application following the Support Note 1286864.1.
    One other way you can manually deploy the weblogic.xml and web.xml files.


Reassuming the procedure:

Configure OBIEE to use Jrockit

  • In the file setDomainEnv.cmd (located in the %MW_HOME%\user_projects\domains\bifoundation_domain\bin directory) adding the following line:
    set JAVA_VENDOR=Oracle
  • Restart the applications
     

Configure Active directory as User Store

Strictly follow the procedure described in the Oracle Document
  • Login in the Weblogic Console in
  • Click Lock & Edit
  • Go in Security Realm->"myrealm"->Providers->Authentication
  • Crate a new Authenticator Provider
     - Example name: ADAuthenticator    
     - Type: ActiveDirectoryAuthenticator
  • For the new provider
     - Reorder it as first provider (Reorder button)    
     - In common authentication settings: set Control Flag to SUFFICIENT    
     - In Provider Specific Settings set the connection parameters to the AD Domain Server
  • Edit the DefaultAuthenticator
     - In common authentication settings: set Control Flag to SUFFICIENT
  • Click Activate Changes
     
  • Restart Weblogic and verify your configuration: in Secutity Realm->"myrealm"->"User and Gorups" you can see AD users an groups
  • Reset the OBIEE System User using a new domain user:
    - Create a new AD user (Ex: AdBiSystemUser)
    - Login in 'Enterprise manager        
    - Go in    Weblogic Domain-> bifoundation_domain->(left mouse button) Security->Application Roles        
    - In "Application Stripe to Search" select "odi" and click the "play" button
       - Click BiSystem role   
       - Click "Add User"
       - Add the newly created user
       - Click “Ok”

    • Login into Weblogic Admin Console
    • Go in Security Realm->"myrealm"->"Roles and Policies"->"Realm roles"
    • Select "Global Roels"->"Admin" and click "View Roles Condition"
    • Click “Add Condition”->”User” and add the Add the newly created user  
    • Restart all

Configure Windows SSO with Kerberos

  • Create new AD account to use as Kerberos Principal (Ex:.obieessouser)
  • Modify the account properties:
    - Set "Use DES Encryption types for this account"
    - "Do not require Kerberos pre-authentication" must be unchecked
  • Create the Service Principal Names (SPN) associate to this account:
    The SPN must be the following:
    HTTP/<Fully qualified name of OBIEE server>
    HTTP/<Hostname of OBIEE server>
  • The SPN must be created with setspn command in a Domain Server.
    For example:
    setspn.exe -A HTTP/OBIEE2003.anfa.com obissouser
    setspn.exe -A HTTP/OBIEE2003 obissouser
  • Create the file krb5.ini in c:\windows on the OBIEE server with the content described in the documentation:
    • [libdefaults]
    default_realm = <Your Kerberos realm – remember all caps> 
    default_tkt_enctypes = des-cbc-crc
    default_tgs_enctypes = des-cbc-crc
    ticket_lifetime = 600

    [realms]
    <Your Kerberos realm – remember all caps> = {
    kdc = <IP address of the KDC/AD server>
    admin_server = <host name of the KDC/AD server>
    default_domain = <Windows domain name in caps>
    }

    [domain_realm]
    .<DNS domain name suffix, starting with .> = <Your Kerberos realm – remember all caps>

    [appdefaults]
    autologin = true
    forward = true
    forwardable = true
    encrypt = true
    • Create the  keytab file in the %MW_HOME%/user_projects\domains\bifoundation_domain directory
        - Use the ktpass command (this is not the exact procedure described in the documentation) specifying the kvno option to 0    
        - The ktpass command can be found in Windows Server 2008 and in the Windows Server 2003 Support Tool.        
        - Use the following syntax:
    ktpass.exe -princ <account-name>@<REALM-NAME> -mapuser <account-name> 
    -pass <account-password> -crypto DES-CBC-CRC -ptype KRB5_NT_PRINCIPAL 
    -out %MW_HOME%\user_projects\domains\bifoundation_domain\<Keytab file> -kvno 0

        - Verify the configuration with the kinit command(see the Oracle Whitepaper):

    kinit.exe -k -t %MW_HOME%\user_projects\domains\bifoundation_domain\<Keytab File> 
    <account-name>
  • Create the krb5Login.conf file in the %MW_HOME%\user_projects\domains\bifoundation_domain directory with the following content (see the Whitepaper for the details):

    com.sun.security.jgss.krb5.accept {    
        com.sun.security.auth.module.Krb5LoginModule required       
        principal="<Service principal account>@<Kerberos realm>"
        keyTab=<Name of the keytab file we created, relative to Weblogic domain directory>
        useKeyTab=true
        storeKey=true
        debug=true;
    };
  • Modify the setDomainEnv.cmd file in the %MW_HOME%/user_projects\domains\bifoundation_domain/bin directory and add the following line  just before "set JAVA_PROPERTIES=... ":
    set EXTRA_JAVA_PROPERTIES=-Djava.security.auth.login.config=krb5Login.conf -Djavax.security.auth.useSubjectCredsOnly=false -DWeblogic.security.enableNegotiate=true -Dsun.security.krb5.debug=true %EXTRA_JAVA_PROPERTIES%
  • Configure Weblogic Single Pass Negotiate Identity
    •     - Login in the Weblogic Console    
        - Go in     Security Realm->"myrealm"->Providers->Authentication        
        - Click Lock & Edit       
        - Create a new Authenticator Provider

        - Example name: SPNEGOAsserter

        - Type: NegotiateIdentityAsserter

      • Reorder the providers, putting the new NegotiateIdentityAsserter on the second place (after the AD Authenticator)
      • Click "Activate Changes"
      • Restart all application

     

    Configure SSO in OBIEE

    Modify and redeploy the analytics application following Oracle Whitepaper and Support Note 1286864.1):

    • Unpack analytics.ear and Modify MANIFEST.INF
    • Unapck analytics.war, modify the file web.xml and add weblogic.xml
    • Recreate analytics.war and analytics.ear
    • Update the analytics application in the Weblogic Console
     
    • Alternatively you can modify/add the xml file directly in the deployment directory (ex: %MW_HOME%/Oracle_BI1/bifoundationIweb/app/WEB-INF)
     
    • Restart OBIEE application.
    • Note: in the weblogic.xml file there are specified the domain groups that permits the access to OBIEE (as user or as admin)
     
     

    Copyright ©    Iconsulting Srl     c.f./p.iva: 02175721204     Note Legali