Business Intelligence – Oracle

Archive for April 11th, 2008

Oracle BI EE – Changing Administrator Passwords – Impact on BI Scheduler and BI Publisher – Understanding Impersonation

Posted by Venkatakrishnan J on April 11, 2008

Another common question that keeps circulating in the mailing lists is “How do we ensure that changing Administrator password in BI Server does not impact BI Scheduler or BI Publisher?”. In order to answer this question we need to first understand how the integration between BI Scheduler and BI Server, and BI Publisher and BI Server works. Lets first start with BI Scheduler and BI Server. As you would probably know, BI Server repository contains all the users. Whenever we configure BI Scheduler, we would have to create a BI Scheduler administrator user, by running the cryptotools utility. This user (should be an user within the repository who is part of the Administrators group) details like username and password would be stored in the credentialstore.xml file. So, whenever any user logs into delivers and tries creating a schedule, then BI scheduler uses the user details stored inside the credentialstore.xml file to authenticate/impersonate into the BI Server. Once authenticated by the impersonation user, then the corresponding logging in user’s privilege details are returned back from the BI Server. This is explained in the below diagram


Now, what would happen when we change the Administrator user password in the repository? When we change the Administrator user password in the repository, the crendialstore.xml file would still contain the older password. Hence, whenever any user tries to run a schedule using the BI Scheduler, he would not be able to do so since BI Scheduler will still be using the older password of the Administrator user. So, in order to keep both the passwords in sync one would have to run the cryptotools utility again with the new password as sepecified in the repository.
The integration between BI Server and BI Publisher also works using the same logic. But the general confusion is why do we have to run the cryptotools? By default when we install BI EE, the cryptotools utility would automatically be run for the Administrator user for BI Publisher. But this is not the case for BI Scheduler. Hence, we would have to manually run the cryptotools for scheduler to bring it up.


As shown, whenever the password for the Administrator user alone is changed, then and only then should the cryptotools be run again. For all other users, there is no need for running the cryptotools. For example, lets try changing the password for Administrator in the repository to say “welcome1”. Once that is done, we need to run the cryptotools twice. One for the admin role (used by Bi Scheduler) and the other for the bipublisheradmin role (used by BI Publisher). Run the cryptotools with the new password.

 cryptotools credstore -add -infile D:\oracle\OracleBIData\web\config\credentialstore.xml

Also, open up the Job Manager and update the Administrator Password there.


Similarly, run it for BI Publisher using the bipublisheradmin alias.


The next step is to go to {OracleBI}\xmlp\XMLP\Admin\Configuration and open up the xmlp-server-config.xml. Update the Administrator passwords here.

 <?xml version="1.0" encoding="UTF-8"?>
<xmlpConfig xmlns="<a href=""></a>">
<property name="SAW_SERVER" value="vejanaki-lap"/>
<property name="SAW_SESSION_TIMEOUT" value="90"/>
<property name="DEBUG_LEVEL" value="exception"/>
<property name="SAW_PORT" value="9704"/>
<property name="SAW_PASSWORD" value="welcome1"/>
<property name="SAW_PROTOCOL" value="http"/>
<property name="SAW_VERSION" value="v4"/>
<property name="SAW_USERNAME" value="Administrator"/>
<property name="SAW_URL_SUFFIX" value="analytics/saw.dll"/>
<property name="SECURITY_MODEL" value="BI_SERVER"/>
<property name="BI_SERVER_SECURITY_DRIVER" value=""/>
<property name="BI_SERVER_SECURITY_URL" value="jdbc:oraclebi://vejanaki-lap:9703/"/>
<property name="BI_SERVER_SECURITY_ADMIN_USERNAME" value="Administrator"/>
<property name="BI_SERVER_SECURITY_ADMIN_PASSWORD" value="welcome1"/>

Then restart Presentation Services, BI Scheduler Service and OC4J. This would sync up all the passwords.


Posted in All Posts | 19 Comments »