Oracle BI EE 10.1.3.3/2 - Changing Administrator Passwords - Impact on BI Scheduler and BI Publisher - Understanding Impersonation
Posted by Venkatakrishnan J on April 11, 2008
Another common question that keeps circulating in the mailing lists is “How do we ensure that changing Administrator password in BI Server does not impact BI Scheduler or BI Publisher?”. In order to answer this question we need to first understand how the integration between BI Scheduler and BI Server, and BI Publisher and BI Server works. Lets first start with BI Scheduler and BI Server. As you would probably know, BI Server repository contains all the users. Whenever we configure BI Scheduler, we would have to create a BI Scheduler administrator user, by running the cryptotools utility. This user (should be an user within the repository who is part of the Administrators group) details like username and password would be stored in the credentialstore.xml file. So, whenever any user logs into delivers and tries creating a schedule, then BI scheduler uses the user details stored inside the credentialstore.xml file to authenticate/impersonate into the BI Server. Once authenticated by the impersonation user, then the corresponding logging in user’s privilege details are returned back from the BI Server. This is explained in the below diagram
Now, what would happen when we change the Administrator user password in the repository? When we change the Administrator user password in the repository, the crendialstore.xml file would still contain the older password. Hence, whenever any user tries to run a schedule using the BI Scheduler, he would not be able to do so since BI Scheduler will still be using the older password of the Administrator user. So, in order to keep both the passwords in sync one would have to run the cryptotools utility again with the new password as sepecified in the repository.
The integration between BI Server and BI Publisher also works using the same logic. But the general confusion is why do we have to run the cryptotools? By default when we install BI EE, the cryptotools utility would automatically be run for the Administrator user for BI Publisher. But this is not the case for BI Scheduler. Hence, we would have to manually run the cryptotools for scheduler to bring it up.
As shown, whenever the password for the Administrator user alone is changed, then and only then should the cryptotools be run again. For all other users, there is no need for running the cryptotools. For example, lets try changing the password for Administrator in the repository to say “welcome1″. Once that is done, we need to run the cryptotools twice. One for the admin role (used by Bi Scheduler) and the other for the bipublisheradmin role (used by BI Publisher). Run the cryptotools with the new password.
cryptotools credstore -add -infile D:\oracle\OracleBIData\web\config\credentialstore.xml
Also, open up the Job Manager and update the Administrator Password there.
Similarly, run it for BI Publisher using the bipublisheradmin alias.
The next step is to go to {OracleBI}\xmlp\XMLP\Admin\Configuration and open up the xmlp-server-config.xml. Update the Administrator passwords here.
<?xml version="1.0" encoding="UTF-8"?> <xmlpConfig xmlns="<a href="http://xmlns.oracle.com/oxp/xmlp">http://xmlns.oracle.com/oxp/xmlp</a>"> <property name="SAW_SERVER" value="vejanaki-lap"/> <property name="SAW_SESSION_TIMEOUT" value="90"/> <property name="DEBUG_LEVEL" value="exception"/> <property name="SAW_PORT" value="9704"/> <property name="SAW_PASSWORD" value="welcome1"/> <property name="SAW_PROTOCOL" value="http"/> <property name="SAW_VERSION" value="v4"/> <property name="SAW_USERNAME" value="Administrator"/> <property name="SAW_URL_SUFFIX" value="analytics/saw.dll"/> <property name="SECURITY_MODEL" value="BI_SERVER"/> <property name="BI_SERVER_SECURITY_DRIVER" value="oracle.bi.jdbc.AnaJdbcDriver"/> <property name="BI_SERVER_SECURITY_URL" value="jdbc:oraclebi://vejanaki-lap:9703/"/> <property name="BI_SERVER_SECURITY_ADMIN_USERNAME" value="Administrator"/> <property name="BI_SERVER_SECURITY_ADMIN_PASSWORD" value="welcome1"/> </xmlpConfig>
Then restart Presentation Services, BI Scheduler Service and OC4J. This would sync up all the passwords.
April 11, 2008 at 1:30 pm
Hello Venkatakrishnan J,
finally somebody wrote an explanation of how Security belongs all together in OBI. Thanks for this and also for your great blog, I totally appreciate reading from you.
Just one thing on changing Adminstrator password and having it in sync. If you change the user-profile on the local OS you are running your server on you have to change also the passwort for OC4J. But it’s easy, another colleague from us described already.
http://mike-lehmann.blogspot.com/2006/12/reset-oc4j-admin-password.html
To all a nice weeekend,
Andreas
April 18, 2008 at 2:20 pm
The steps provided in this post to change the Admin passwords are correct but the description on how the authentication process works is not correct at all. The chart above says:
“BI Scheduler uses its Administrator user (given while running Cryptools) and impersonates into BI Server using this username and password stored in the cryptotools.”
This is not correct. The BI Scheduler does not use the user created in CryptoTools. In fact the CryptoTools utility does not create any users nor it stores any users or passwords. It’s just a general purpose utility for the manipulation of the credential store XML file (OracleBIData/web/config/credentialstore.xml). The credentialstore.xml is used by the Presentation Services to communicate with other BI Components (BI Scheduler [aka Delivers] and BI Publisher). Once the Presentation Services contacts the other BI Component, the BI Component will use the credentials provided by the Presentation Services to authenticate the user against the BI Server. The reason this was implemented this way it’s due to the fact that in most large installations the Presentation Services will reside on a different box than the BI Scheduler [aka Delivers] or BI Publisher hence the connection between the services needs to be authenticated.
For more information read Chapter 5 - “Oracle BI Presentation Services Credential Store” of the OBIEE Deployment Guide.
April 21, 2008 at 10:33 am
It’s also worth mentioning that if you change the Administrator password in OBIEE you have to also update the datasource BI Publisher uses to connect to the OBIEE server, if you use any reports that pull data from the BI Server. The config file sits under ./OracleBI/xmlp/XMLP/Admin/DataSource/datasources.xml or you can use the BI Publisher Admin applet and go to Admin >> Data Sources >> Oracle BI EE and change the details accordingly.
May 12, 2008 at 10:28 pm
This is a useful discussion, But i need to reset the password for oc4j in window 2004 server environment. Could any one of you tell me about it.
Thanks
AJ