Business Intelligence – Oracle

Oracle BI EE 10.1.3.3/2 – Changing Administrator Passwords – Impact on BI Scheduler and BI Publisher – Understanding Impersonation

Posted by Venkatakrishnan J on April 11, 2008

Another common question that keeps circulating in the mailing lists is “How do we ensure that changing Administrator password in BI Server does not impact BI Scheduler or BI Publisher?”. In order to answer this question we need to first understand how the integration between BI Scheduler and BI Server, and BI Publisher and BI Server works. Lets first start with BI Scheduler and BI Server. As you would probably know, BI Server repository contains all the users. Whenever we configure BI Scheduler, we would have to create a BI Scheduler administrator user, by running the cryptotools utility. This user (should be an user within the repository who is part of the Administrators group) details like username and password would be stored in the credentialstore.xml file. So, whenever any user logs into delivers and tries creating a schedule, then BI scheduler uses the user details stored inside the credentialstore.xml file to authenticate/impersonate into the BI Server. Once authenticated by the impersonation user, then the corresponding logging in user’s privilege details are returned back from the BI Server. This is explained in the below diagram

    

Now, what would happen when we change the Administrator user password in the repository? When we change the Administrator user password in the repository, the crendialstore.xml file would still contain the older password. Hence, whenever any user tries to run a schedule using the BI Scheduler, he would not be able to do so since BI Scheduler will still be using the older password of the Administrator user. So, in order to keep both the passwords in sync one would have to run the cryptotools utility again with the new password as sepecified in the repository.
The integration between BI Server and BI Publisher also works using the same logic. But the general confusion is why do we have to run the cryptotools? By default when we install BI EE, the cryptotools utility would automatically be run for the Administrator user for BI Publisher. But this is not the case for BI Scheduler. Hence, we would have to manually run the cryptotools for scheduler to bring it up.

    

As shown, whenever the password for the Administrator user alone is changed, then and only then should the cryptotools be run again. For all other users, there is no need for running the cryptotools. For example, lets try changing the password for Administrator in the repository to say “welcome1″. Once that is done, we need to run the cryptotools twice. One for the admin role (used by Bi Scheduler) and the other for the bipublisheradmin role (used by BI Publisher). Run the cryptotools with the new password.

 cryptotools credstore -add -infile D:\oracle\OracleBIData\web\config\credentialstore.xml

Also, open up the Job Manager and update the Administrator Password there.

    

Similarly, run it for BI Publisher using the bipublisheradmin alias.

    

The next step is to go to {OracleBI}\xmlp\XMLP\Admin\Configuration and open up the xmlp-server-config.xml. Update the Administrator passwords here.

 <?xml version="1.0" encoding="UTF-8"?>
<xmlpConfig xmlns="<a href="http://xmlns.oracle.com/oxp/xmlp">http://xmlns.oracle.com/oxp/xmlp</a>">
<property name="SAW_SERVER" value="vejanaki-lap"/>
<property name="SAW_SESSION_TIMEOUT" value="90"/>
<property name="DEBUG_LEVEL" value="exception"/>
<property name="SAW_PORT" value="9704"/>
<property name="SAW_PASSWORD" value="welcome1"/>
<property name="SAW_PROTOCOL" value="http"/>
<property name="SAW_VERSION" value="v4"/>
<property name="SAW_USERNAME" value="Administrator"/>
<property name="SAW_URL_SUFFIX" value="analytics/saw.dll"/>
<property name="SECURITY_MODEL" value="BI_SERVER"/>
<property name="BI_SERVER_SECURITY_DRIVER" value="oracle.bi.jdbc.AnaJdbcDriver"/>
<property name="BI_SERVER_SECURITY_URL" value="jdbc:oraclebi://vejanaki-lap:9703/"/>
<property name="BI_SERVER_SECURITY_ADMIN_USERNAME" value="Administrator"/>
<property name="BI_SERVER_SECURITY_ADMIN_PASSWORD" value="welcome1"/>
</xmlpConfig>

Then restart Presentation Services, BI Scheduler Service and OC4J. This would sync up all the passwords.

 

About these ads

19 Responses to “Oracle BI EE 10.1.3.3/2 – Changing Administrator Passwords – Impact on BI Scheduler and BI Publisher – Understanding Impersonation”

  1. Hello Venkatakrishnan J,

    finally somebody wrote an explanation of how Security belongs all together in OBI. Thanks for this and also for your great blog, I totally appreciate reading from you.
    Just one thing on changing Adminstrator password and having it in sync. If you change the user-profile on the local OS you are running your server on you have to change also the passwort for OC4J. But it’s easy, another colleague from us described already.

    http://mike-lehmann.blogspot.com/2006/12/reset-oc4j-admin-password.html

    To all a nice weeekend,
    Andreas

  2. Turribeach said

    The steps provided in this post to change the Admin passwords are correct but the description on how the authentication process works is not correct at all. The chart above says:

    “BI Scheduler uses its Administrator user (given while running Cryptools) and impersonates into BI Server using this username and password stored in the cryptotools.”

    This is not correct. The BI Scheduler does not use the user created in CryptoTools. In fact the CryptoTools utility does not create any users nor it stores any users or passwords. It’s just a general purpose utility for the manipulation of the credential store XML file (OracleBIData/web/config/credentialstore.xml). The credentialstore.xml is used by the Presentation Services to communicate with other BI Components (BI Scheduler [aka Delivers] and BI Publisher). Once the Presentation Services contacts the other BI Component, the BI Component will use the credentials provided by the Presentation Services to authenticate the user against the BI Server. The reason this was implemented this way it’s due to the fact that in most large installations the Presentation Services will reside on a different box than the BI Scheduler [aka Delivers] or BI Publisher hence the connection between the services needs to be authenticated.

    For more information read Chapter 5 – “Oracle BI Presentation Services Credential Store” of the OBIEE Deployment Guide.

  3. Turribeach said

    It’s also worth mentioning that if you change the Administrator password in OBIEE you have to also update the datasource BI Publisher uses to connect to the OBIEE server, if you use any reports that pull data from the BI Server. The config file sits under ./OracleBI/xmlp/XMLP/Admin/DataSource/datasources.xml or you can use the BI Publisher Admin applet and go to Admin >> Data Sources >> Oracle BI EE and change the details accordingly.

  4. Arjun said

    This is a useful discussion, But i need to reset the password for oc4j in window 2004 server environment. Could any one of you tell me about it.
    Thanks
    AJ

  5. Andreas Schlögl said

    Hi, just a short side note: If you make use of LDAP authentication and want the Administrator user reside in the rpd (e.g. for the case that the LDAP server is unavailable) the “Required for authentication” flag in the authentication init block must not be checked.

    Ciao,
    Andi

  6. Shivaji said

    Hi Andreas,
    When we uncheck “Required for Authercation” Flag ,can Local OBIEE users (Administrator user) and LDAP users can login at the same time ?
    I have trouble making it work for both .I can make it work either LDAP or OBIEE local users but not both?
    Any Ideas ?
    Thanks
    Shivaji

  7. Angii said

    not Can´t star service Scheduler ¿¿WHY??

    Changed password, all !..

    My error are…

    NQS error 12008
    and
    Error unable port 9075…Plis Help mee!!!! pliz!

    thank!

  8. Angii said

    Cant ! StarT Mys Services.. !!!!

    Your Indication is Fantastic!..
    Creating ODBC When Create The Base De DAto!

  9. Prakash said

    Hi Venkat,

    I am very impressed and thankful for your Blog.

    Now onwards I want to be active member in all the above discussions. I have a situation here. I am trying to access the Oracle BI Templates through MS Word — Log In Oracle BI Publisher — Open — Open Template and select the workspace and select from the combo box – Oracle BI instead of BI Publihser, I couldnt see any of the templates with in that where as I can see in Publisher its templates.

    I appreciate your help.

    -Prakash

  10. Allwin said

    Hi Venkat,

    I tried the same in UNIX box, the command is not working
    This is what bash is returning:


    /u001/oracle/product/OracleBI/web/bin/cryptotools credstore -add -infile /u001/oracle/product/OracleBIData/web/config/credentialstore.xml
    ld.so.1: cryptotools: fatal: libtestframework3r.so: open failed: No such file or directory
    Killed

    Please help me on this. Our project is going to production soon and this issue has to be solved before that.

    Regards,
    Allwin

  11. umer said

    I AM A STUDENT & WANT TO KNOW HOW TO CHAGE THE USER “ADMIN” PASSWORD IN ORACLE?

    REGARDS;
    UMER SOHAIL

  12. moff said

    @allwin: run setup/user.sh and setup/sa-init first to set the paths, and also export LD_LIBRARY_PATH=/web/bin where is the path to your obiee installation

  13. Jagdeep Sethi said

    Hi Venkat,

    Maybe not related to this chain of posts, but I created one user using desktop Administration tool, online. The new user can connect to Analytics and BI Publisher web interface, but not locally to Admin tool for developing rpd – unless the user is in the administrator group. Is that the correct way it should behave?

    Please let me know.

    Regards,

    jagdeep

  14. To change a user password

    Select Manage > Security.
    In the Security Manager dialog box, select Users in the left pane.
    In the right pane, right-click the user whose password you want to change.
    Select Properties from the shortcut menu.
    In the User tab, type the new password.
    In the Confirm Password text box, type the password again, and then click OK.

    Note: It is written default password: “SADMIN” in help document of BI ,
    but default password is “Administrator”

  15. anamik said

    Trying to run cryptotools (which is located in OracleBI/web/bin folder), getting the following error:
    OS is AIX 64 BIT. Please help, please.

    exec(): 0509-036 Cannot load program cryptotools because of the following errors:
    0509-150 Dependent module libtestframework3r.so could not be loaded.
    0509-022 Cannot load module libtestframework3r.so.
    0509-026 System error: A file or directory in the path name does not exist.

  16. Vijay said

    Hi,
    please tell me the Steps for Disconnected analytics for OBIEE .?

    than x in advance

    regards
    Vijay

  17. prakash kumar said

    Hi,
    i am getting following error messages in iBots scheduled through our application.

    Authentication Failure.
    Error Codes: IHVF6OM7:OPR4ONWY:U9IM8TAC
    Location: saw.connectionPool.getConnection, saw.rpc.server.responder, saw.rpc.server, saw.rpc.server.socketServer, saw.threadPool, saw.threadPool, saw.threads
    File: connection.cpp, Line: 286

    But its not the case with all iBots some are working fine too. if an iBot has been failed with the error mentioned it will runn if i manually reschedule it.. can you help me with this error.

    Regards,
    Prakash

  18. Mat said

    One of the worst tools I have ever encountered. Maybe I am wrong, but it sucks to work with this gui kind of thing which behaves unusually and unexpected most of the times.

  19. Tshepiso said

    hi all,
    i need to install oracle BI publisher and use it, i dnt no how to go about getting it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 151 other followers

%d bloggers like this: