Transcription
Oracle AnalyticsManaging Security for Oracle Analytics Server5.9.0F24229-10June 2021
Oracle Analytics Managing Security for Oracle Analytics Server, 5.9.0F24229-10Copyright 2020, 2021, Oracle and/or its affiliates.Primary Author: Stefanie RhoneContributors: Oracle Business Intelligence development, product management, and quality assurance teams.This software and related documentation are provided under a license agreement containing restrictions onuse and disclosure and are protected by intellectual property laws. Except as expressly permitted in yourlicense agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license,transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverseengineering, disassembly, or decompilation of this software, unless required by law for interoperability, isprohibited.The information contained herein is subject to change without notice and is not warranted to be error-free. Ifyou find any errors, please report them to us in writing.If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it onbehalf of the U.S. Government, then the following notice is applicable:U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software,any programs embedded, installed or activated on delivered hardware, and modifications of such programs)and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Government endusers are "commercial computer software" or "commercial computer software documentation" pursuant to theapplicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use,reproduction, duplication, release, display, disclosure, modification, preparation of derivative works, and/oradaptation of i) Oracle programs (including any operating system, integrated software, any programsembedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oraclecomputer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in thelicense contained in the applicable contract. The terms governing the U.S. Government’s use of Oracle cloudservices are defined by the applicable contract for such services. No other rights are granted to the U.S.Government.This software or hardware is developed for general use in a variety of information management applications.It is not developed or intended for use in any inherently dangerous applications, including applications thatmay create a risk of personal injury. If you use this software or hardware in dangerous applications, then youshall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure itssafe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of thissoftware or hardware in dangerous applications.Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks oftheir respective owners.Intel and Intel Inside are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks areused under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Epyc,and the AMD logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registeredtrademark of The Open Group.This software or hardware and documentation may provide access to or information about content, products,and services from third parties. Oracle Corporation and its affiliates are not responsible for and expresslydisclaim all warranties of any kind with respect to third-party content, products, and services unless otherwiseset forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not beresponsible for any loss, costs, or damages incurred due to your access to or use of third-party content,products, or services, except as set forth in an applicable agreement between you and Oracle.
ContentsPreface12AudienceviiDocumentation AccessibilityviiDiversity and InclusionviiConventionsviiGet Started with Oracle Analytics Server SecurityTypical Workflow to Set Up Security1-1Overview of Security in Oracle Analytics Server1-2About Authentication1-3About Authorization1-3About Application Roles1-4About the Security Policy1-5About Users, Groups, and Application Roles1-5Terminology1-5Set Up Security With Users, Groups, and Application RolesSecurity Configuration Tools2-1Manage Users and Groups in the Embedded WebLogic LDAP Server2-2Use the Oracle WebLogic Server Administration Console2-2Create a New User in the Embedded WebLogic LDAP Server2-3Create a New Group in the Embedded WebLogic LDAP Server2-4Assign a User to a Group in the Embedded WebLogic LDAP Server2-4Delete a User2-4Change a User Password in the Embedded WebLogic LDAP Server2-5Manage Application Roles2-5About Application Roles2-6Predefined Application Roles2-6Get Started with Application Roles2-7Add Members to Application Roles2-8Why Is the Administrator Application Role Important?2-9iii
Assign Application Roles to Users32-9Assign Application Roles to Multiple Users Through Roles2-11Add Your Own Application Roles2-12Delete Application Roles2-12Add One Predefined Application Role to Another (Advanced)2-13Grant or Revoke Permission Assignments2-13Manage Metadata Repository Privileges2-15Use the Oracle BI Administration Tool2-16Set Metadata Repository Privileges for an Application Role2-16Manage Application Roles in the Metadata Repository - Advanced SecurityConfiguration Topic2-17Manage Session Variables2-17Manage Server Sessions2-17Use the Session Manager2-18Manage Presentation Services Privileges2-19Use Presentation Services Administration Page2-20Set Presentation Services Privileges for Application Roles2-20Encrypt Credentials (Advanced)2-21Manage Data Source Access Permissions With Oracle Analytics Server Publisher2-21Enable High Availability of the Default Embedded Oracle WebLogic Server LDAP IdentityStore2-22Use runcat to Manage Security Tasks in the Presentation Catalog2-22Use Alternative Authentication ProvidersAbout Alternative Authentication Providers3-1High-Level Steps for Configuring an Alternative Authentication Provider3-1Set Up Groups and Users in the Alternative Authentication Provider3-2Configure Oracle Analytics Server to Use Alternative Authentication Providers3-2Reconfigure Oracle Internet Directory as an Authentication Provider3-3Oracle Internet Directory Authenticator Provider Specific Reference3-4Reconfigure Microsoft Active Directory as the Authentication Provider3-5Microsoft Active Directory Authentication Provider Specific Reference3-6Configure User and Group Name Attributes in the Identity Store3-7Configure User Name Attributes3-7Configure Group Name Attributes3-8Configure LDAP as the Authentication Provider and Storing Groups in a Database3-9Prerequisites3-9Create a Sample Schema for Groups and Group Members3-10Configure a Data Source and the BISQLGroupProvider Using Oracle WebLogicServer Administration Console3-11Configure the Virtualized Identity Store3-15iv
Test the Configuration by Adding a Database Group to an Application Role3-19Correct Errors in the Adaptors3-19Configure a Database as the Authentication ProviderIntroduction and Prerequisites3-19Create a Sample Schema for Users and Groups3-20Configure a Data Source and SQL Authenticator Using the Oracle WebLogicServer Administration Console3-21Configure the Virtualized Identity Store3-25Troubleshoot the SQL Authenticator3-29Correct Database Adapter Errors by Deleting and Recreating the Adapter3-31Configure Identity Store Virtualization Using Fusion Middleware Control3-31Configure Multiple Authentication Providers3-33Set the JAAS Control Flag Option3-33Configure a Single LDAP Authentication Provider as the Authenticator3-34Configure Oracle Internet Directory LDAP Authentication as the Only Authenticator3-34Troubleshoot3-39Reset the BI System User Credential43-39Enable SSO AuthenticationSSO Configuration Tasks for Oracle Analytics Server4-1Understand SSO Authentication and Oracle Analytics Server4-2SSO Implementation Considerations4-4Configure SSO in an Oracle Access Manager Environment4-5Configure an OID Authenticator for Oracle WebLogic ServerAuthentication Provider Source ReferenceConfigure Oracle Access Manager as a New Identity Asserter for Oracle WebLogicServer4-54-64-7Configure Custom SSO Environments4-8Enable Oracle Analytics Server to Use SSO Authentication4-8Enable and Disable SSO Authentication Using WLST CommandsEnable SSO Authentication Using Fusion Middleware ControlEnable the Online Catalog Manager to Connect53-194-94-104-10Configure SSL in Oracle Analytics ServerWhat is SSL?5-1Enable End-to-End SSL5-2Configure a Standard Non-SSL Oracle Analytics Server System5-3Configure WebLogic SSL5-3Start Only the Administration Server5-4Configure HTTPS Ports5-4v
Configure Internal WebLogic Server LDAP to Use LDAPs5-5Configure Internal WebLogic Server LDAP Trust Store5-6Disable HTTP5-7Verify Server Keystores5-8Restart5-8Configure OWSM to Use t3s5-9Restart System5-9Enable Oracle Analytics Server Internal SSL5-9Disable Internal SSL5-11Export Trust and Identity for Clients5-11Configure SSL for Clients5-12Export Client Certificates5-13Use SASchInvoke when BI Scheduler is SSL-Enabled5-13Configure Oracle BI Job Manager5-14Connect the Online Catalog Manager to Oracle Presentation Services5-15Configure the Administration Tool to Communicate Over SSL5-15Configure an ODBC DSN for Remote Client Access5-15Configure Oracle Analytics Publisher to Communicate Over SSL5-16Check Certificate Expiry5-16Replace the Certificates5-16Update Certificates After Changing Listener Addresses5-17Add New Servers5-17Enable SSL in a Configuration Template Configured System5-18Enable SSL Without Internal Oracle Analytics Server SSL5-19Manually Configure SSL Cipher Suite5-19Configure SSL Connections to External Systems5-20Configure SSL for the SMTP Server Using Fusion Middleware Control5-20Configure SSL when Using Multiple Authenticators5-21WebLogic Artifacts Reserved for Oracle Analytics Server Internal SSL Use5-21vi
PrefaceLearn how to secure Oracle Analytics Server.AudienceThis guide is intended for system administrators who are responsible for setting up andmanaging Oracle Analytics Server security.Documentation AccessibilityFor information about Oracle's commitment to accessibility, visit the Oracle AccessibilityProgram website at http://www.oracle.com/pls/topic/lookup?ctx acc&id docacc.Access to Oracle SupportOracle customers that have purchased support have access to electronic support through MyOracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx acc&id infoor visit http://www.oracle.com/pls/topic/lookup?ctx acc&id trs if you are hearing impaired.Diversity and InclusionOracle is fully committed to diversity and inclusion. Oracle respects and values having adiverse workforce that increases thought leadership and innovation. As part of our initiative tobuild a more inclusive culture that positively impacts our employees, customers, andpartners, we are working to remove insensitive terms from our products and documentation.We are also mindful of the necessity to maintain compatibility with our customers' existingtechnologies and the need to ensure continuity of service as Oracle's offerings and industrystandards evolve. Because of these technical constraints, our effort to remove insensitiveterms is ongoing and will take time and external cooperation.ConventionsThe following text conventions are used in this document:ConventionMeaningboldfaceBoldface type indicates graphical user interface elements associated with anaction, or terms defined in text or the glossary.italicItalic type indicates book titles, emphasis, or placeholder variables for which yousupply particular values.monospaceMonospace type indicates commands within a paragraph, URLs, code inexamples, text that appears on the screen, or text that you enter.vii
1Get Started with Oracle Analytics ServerSecurityThis chapter contains overview concepts, a terminology list, and a workflow to help youconfigure security.Topics: Typical Workflow to Set Up Security Overview of Security in Oracle Analytics Server About Authentication About Authorization About Users, Groups, and Application Roles TerminologyTypical Workflow to Set Up SecurityUse this workflow to understand how to set up security in a new Oracle Analytics Serverinstance.TaskDescriptionMore InformationDecide if you want to use thedefault embedded WebLogicLDAP Server for authenticationto create users and groupsOracle doesn't recommend usingWebLogic LDAP Server in anenvironment with more than1,000 users. If you need aproduction environment withhigh-availability and scalability,then use a directory service suchas Oracle Internet Directory or athird-party directory service.Create a New User in theEmbedded WebLogic LDAPServerCreate a New Group in theEmbedded WebLogic LDAPServerAssign a User to a Group in theEmbedded WebLogic LDAPServerUse the WebLogic ServerAdministration Console to createusers and groups and assignusers to groups. You can't usethe Oracle Analytics ServerConsole to create and manageusers and groups.Decide if you want to use analternative authenticationprovider such as Oracle InternetDirectory to create users andgroupsConfigure Oracle InternetDirectory as the authenticationprovider.High-Level Steps for Configuringan Alternative AuthenticationProviderUse your authentication providertools to create users and groupsand assign users to groups. Youcan't use the Oracle AnalyticsServer Console to create andmanage users and groups.1-1
Chapter 1Overview of Security in Oracle Analytics ServerTaskDescriptionMore InformationSet up application rolesReview the application rolesPredefined Application Rolesprovided with the installation and Add Your Own Application Rolesdecide if you need to createadditional roles.Use the Oracle Analytics ServerConsole to add application roles.Customize the permission setsassigned to the application rolesAdd or remove permissions asneeded.Grant or Revoke PermissionAssignmentsUse the grant or revokepermissions script to add orremove application rolepermissions.Assign application roles to users Add application roles to usersand groupsand groups as needed.Assign Application Roles toUsersUse the Oracle Analytics ServerConsole to assign applicationroles to users and groups.Assign Application Roles toMultiple Users Through RolesAdd and remove the privilegesthat users and groups have inthe Oracle BI Repository and inthe Classic Home Page.Managing Metadata RepositoryPrivileges Using the Oracle BIAdministrationDecide if you want to deploysingle sign-on (SSO)authenticationConfigure SSO authentication.Enabling SSO AuthenticationDecide if you want to deploysecure socket layer (SSL)Configure Oracle AnalyticsServer components tocommunicate over SSL.Configuring SSL in OracleBusiness IntelligenceFine-tune privileges in the BIrepository and PresentationServicesManaging Presentation ServicesUse the Oracle BI Administration Privileges Using ApplicationRolesTool and the Oracle AnalyticsServer Classic AdministrationPage to add and remove theseprivileges.Overview of Security in Oracle Analytics ServerOracle Analytics Server is tightly integrated with the Oracle Fusion MiddlewareSecurity architecture and delegates core security functionality to components of thatarchitecture. Specifically, any Oracle Analytics Server installation makes use of thefollowing types of security providers: An authentication provider that knows how to access information about the usersand groups accessible to Oracle Analytics Server and is responsible forauthenticating users. A policy store provider that provides access to application roles and applicationpolicies, which forms a core part of the security policy and determines what userscan and cannot see and do in Oracle Analytics Server. A credential store provider that is responsible for storing and providing access tocredentials required by Oracle Analytics Server.By default, an Oracle Analytics Server installation is configured with an authenticationprovider that uses the Oracle WebLogic Server embedded LDAP server for user and1-2
Chapter 1About Authenticationgroup information. The Oracle Analytics Server default policy store provider and credentialstore provider store credentials, application roles, and application policies in a database.After installing Oracle Analytics Server you can reconfigure the domain to use alternativesecurity providers, if desired. For example, you might want to reconfigure your installation touse an Oracle Internet Directory, Oracle Virtual Directory, Microsoft Active Directory, oranother LDAP server for authentication. You might also decide to reconfigure your installationto use Oracle Internet Directory, rather than a database, to store credentials, applicationroles, and application policies.About AuthenticationYou manage users and groups within the authentication provider.Note:Use your authentication provider tools to create users and groups and assign usersto groups. You can't use the Oracle Analytics Server Console to create and manageusers and groups.Each Oracle Analytics Server installation has an associated Oracle WebLogic Server domain.Oracle Analytics Server delegates user authentication to the authentication providersconfigured for that domain.The default authentication provider accesses user and group information that is stored in theLDAP server that is embedded in the Oracle WebLogic Server domain for Oracle AnalyticsServer. You can use the Oracle WebLogic Server Administration Console to create andmanage users and groups in the embedded LDAP server.You might choose to configure an authentication provider for an alternative directory. You canuse the Oracle WebLogic Server Administration Console to view the users and groups in thedirectory. However, you must continue to use the appropriate tools to make any modificationsto the directory. For example, if you reconfigure Oracle Analytics Server to use OracleInternet Directory (OID), you can view users and groups in Oracle WebLogic ServerAdministration Console but you must manage them using the OID Console. Refer to the BIcertification matrix for information on supported LDAP directories.About AuthorizationAuthorization is about ensuring users can do and see what they are authorized to do andsee.After a user has been authenticated, the next critical aspect of security is ensuring that theuser can do and see what they are authorized to do and see. Authorization for OracleAnalytics Server is controlled by a security policy defined in terms of application roles.Topics: About Application Roles About the Security Policy1-3
Chapter 1About AuthorizationAbout Application RolesApplication roles define the security policy for users.Instead of defining the security policy in terms of users in groups in a directory server,Oracle Analytics Server uses a role-based access control model. Security is defined interms of application roles that are assigned to directory server groups and users. Forexample, application roles BIServiceAdministrator, BI Consumer, andBIContentAuthor.Application roles represent a functional role that a user has given the user theprivileges required to perform that role. For example, the Sales Analyst application rolemight grant a user access to view, edit, and create reports on a company's salespipeline.This indirection between application roles and directory server users and groupsallows the administrator to define the application roles and policies without creatingadditional users or groups in the corporate LDAP server. Instead, the administratordefines application roles that meet the authorization requirements and assigns thoseroles to preexisting
About Application Roles 1-4 About the Security Policy 1-5 About Users, Groups, and Application Roles 1-6 . Change a User Password in the Embedded WebLogic LDAP Server 2-5 Manage Application Roles 2-5 About Application Roles 2-6 . Reconfigure Microsoft Act
