I am running the following setup:
OBIEE
Oracle Business Intelligence Product Version 10.1.3.3.2 (Build 071217.1900)
Physical Presentation Catalog Path /apps/installs/OracleBIData/web/catalog/paint/root
Oracle BI Server Data Source AnalyticsWeb
Analytics WebApp
Turned off OC4J, and deployed Analytics.war file on its own Apache-Tomcat instance
The Tomcat instance listens on port 9090
Siteminder (SSO) / Proxy Tier
I am running an Apache Web Server instance protected by CA Siteminder's SSO policy
AWS is listening on port 80, and acting as a proxy to redirect requests for Analytics.
Example:
Tomcat Analytics: http://localhost:9090/analytics/
AWS: http://localhost:80/obiee/ ==> http://localhost:9090/analytics/
I am doing testing with the out of the box PAIN repository & set of dashboards. My goal is to:
1. Protect OBIEE behind SSO
2. Allow
ANY SSO
authenticated user to gain access to OBIEE Analytics
3. Remove OBIEE's own authentication / login screen
Effectively:
1. Browse to http://localhost/obiee/
2. Get redirected to SSO login landing page
3. Authenticate via SSO
4. Upon successful SSO authentication, get redirected to the default OBIEE dashboard
So far, so good. I followed the guide for SSO integration found here: http://download.oracle.com/docs/cd/E12096_01/books/AnyDeploy/AnyDeploySSO.html
I've added the necessary entries on my instanceconfig.xml ($ORACLEBIDATA_HOME/web/config/instanceconfig.xml) as follows
<Auth>
<SSO enabled="true">
<ParamList>
<Param name="IMPERSONATE" source="httpHeader" nameInSource="eid"/>
</ParamList>
</SSO>
</Auth>
<CredentialStore>
<CredentialStorage type="file" path="/apps/installs/OracleBIData/web/config/credentialstore.xml" passphrase="***********"/>
</CredentialStore>
I've created an Impersonator user and impersonation alias on my credentialstore.xml file using:
cryptotools credstore -add -infile $ORACLEBIDATA_HOME/web/config/credentialstore.xml
Credential Alias: impersonation
Username: Impersonator
Password: ***********
Do you want to encrypt the password? y/n (y):
Passphrase for encryption: ***********
Do you want to write the passphrase to the xml? y/n (n):
File "<OracleBIData>/web/config/credentialstore.xml" exists. Do you want to
overwrite it? y/n (y):
I've also added the Impersonator user to the repository using BI Administrator. I opened the respository online and added Impersonator as a user, with the same password I defined when I user cryptotools. I included the Impersonator user on the same groups as the default Administrator (Administrators & XMLP_ADMIN) and subsequently checked my changes back into the server. After everything was done, I bounced presentation and BI servers through:
$run-sa.sh stop
$run-saw.sh stop
$run-sa.sh start
$run-saw.sh start
Presentation services starts up fine, BI server starts up fine as well. When I browse to the Apache Web Server site, I get redirected to SSO, I pass my credentials, and the wind up on the /saw.dll?Dashboard URI but I get the following message:
You are not currently logged in to the Oracle BI Server.
If you have already logged in, your connection might have timed out, or a communications or server error may have occurred.
Here are the relevant log entries from $ORACLEBIDATA_HOME/web/log
sawlog0.log -I replaced the actual username with <SSOUID>. <SSOUID> is the actual SSO header I need.
Oracle BI Presentation Services have started successfully.
---------------------------------------
Type: Error
Severity: 40
Time: Fri Jul 23 12:02:57 2010
File: project/webodbcaccess/odbcconnectionimpl.cpp Line: 371
Properties: ConnId-1,1;ThreadID-4096981904
Location:
saw.odbc.connection.open
saw.connectionPool.getConnection
saw.threadPool
saw.threads
Odbc driver returned an error (SQLDriverConnectW).
State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
[nQSError: 43001] Authentication failed for <SSOUID> in repository Star: invalid user/password. (08004)
---------------------------------------
Type: Error
Severity: 42
Time: Fri Jul 23 12:02:57 2010
File: project/webconnect/connection.cpp Line: 276
Properties: ThreadID-4096981904
Location:
saw.connectionPool.getConnection
saw.threadPool
saw.threads
Authentication Failure.
Odbc driver returned an error (SQLDriverConnectW).
----------------------------------------
I am at a total loss with this. If I am understanding the OBIEE stack correctly, this would seem to indicate:
a. The impersonation credentials on the credentialstore.xml file are not being decrypted correctly, or the password actually doesn't match. But I've triple checked this.
b. The impersonation alias is not being recognized by presentation services.
I would really appreciate any input here. If I've left out any relevant items, please ask questions and I'll try to be as thorough as possible.
Thanks in advance!
Miguel.-
Edited by: user11343977 on Jul 23, 2010 11:49 AM