BI Check with WLST - Providers and Technical users part 1

 Checking OBIEE 11.1.1.7.1 security configuration manually is relatively time consuming. Using WLST and Python, it is possible to automate most of these tasks. The following script performs checks on OBIEE configuration for version 11.1.1.7.1+ (It will not work for 11.1.1.7.0 or 11.1.1.6) . It is the first of a 3 part series, and the part 1 covers:

Providers, technical users and logins tests
*    getting provider lists from weblogic
*    getting system.user from EM jmx
*    listing provider and groups membership recursively for users:
*    system.user above, weblogic, OracleSystemUser
*    listing weblogic role expressions for role Admin and OracleSystemRole
*    listing app roles members for BIAdministrator and BISystem roles
*    checking if SSO is enabled in EM
*    checking bisecurity#11.1.1 and wsm-pm web app state
*    Performing GET request to bisecurity web service
*    Performing WS-Security login to bisecurity web service using system.user, and weblogic admin accounts
*    Performing login to analytics using direct weblogic connections,  using system.user, and weblogic admin accounts
*    Performing login to analytics using external FQDN url,  using system.user, and weblogic admin accounts

Part 2 will cover checking BISQLGroupProvider specifically --> https://blogs.oracle.com/pa/entry/bi_check_with_wlst_sql

Part 3 covers automation for enabling debug, login tests and logs parsing.

Script for Part 1 is available here: https://blogs.oracle.com/pa/resource/BICheckWithWLST-Part1.zip


Usage:
* copy the pythons script and automation.properties in a folder on the server, or on a client. This machine has to contain an oracle_common/common/bin/wslt.sh (.cmd)
* Modify automation.properties

WLUsername weblogic This is a user with a weblogic Admin role
WLPassword password password for this user
WLServer server1.mycompany.com weblogic console server name
WLPort 7001 weblogic console port
WLScheme t3 scheme to connect to admin console
WLUrl t3://server1.mycompany.com:7001 url for wlst connect command
TARserver bi_server1 target managed server for checks
FQDNExtension .mycompany.com string to append after machine name for client calls if short name are used in weblogic server
ObieeAnalytocsExternalLoadBalancerUrl http://externalurl.mycompany.com/analytics external load balancer url for login test
obieeServerScheme http   used to choose if connection is done directly to bi security web service, or directly to analytics using http or https. Url is constructed based on managed server information (listen address, or machine name completed with FQDNExtension if necessary)
HttpProxyHost http proxy host for client calls
HttpProxyPort http proxy port for client calls

* Edit BICheckPart1.cmd (.sh) and change ORACLE_HOME

* Run the BICheckPart1.cmd (.sh)

* Review the checkBI.log generated

Here is a sample output of the script:

--- Reading properties file automation.properties ---
    WLScheme=t3
    obieeServerScheme=http
    HttpProxyHost=
    WLServer=server1.mycompany.com
    WLPassword=password
    HttpProxyPort=
    ObieeAnalytocsExternalLoadBalancerUrl=http://external.mycompany.com/analytics
    TARserver=bi_server1
    WLPort=7001
    WLUrl=t3://server1.mycompany.com:7001
    WLUsername=weblogic
    FQDNExtension=.mycompany.com

--- Connecting to weblogic ---
Connecting to t3://server1.mycompany.com:7001 with userid weblogic ...
Successfully connected to Admin Server "AdminServer" that belongs to domain "bifoundation_domain".

Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead.

Location changed to serverRuntime tree. This is a read-only tree with DomainMBean as the root.
For more help, use help('domainConfig')

Checking servers targets in domain:bifoundation_domain
AdminServer-> http port:7001 or SSL:7002
bi_server1-> http port:9704 or SSL:9804

***  BI Check Utility running for managed server:bi_server1 ***
Already in Domain Config Tree


--- Getting providers lists for default realm:myrealm ---
Providers list:
    SQLGroupProvider Type: BI SQL Group Provider
    DefaultAuthenticator Type: WebLogic Authentication Provider
    DefaultIdentityAsserter Type: WebLogic Identity Assertion provider
    OID Type: Provider that performs LDAP authentication
        Host:oidserver.mycompany.com
        Port:3060
        Provider Class Name:weblogic.security.providers.authentication.LDAPAuthenticationProviderImpl
        UserBaseDN:ou=People,dc=us,dc=mycompany,dc=com
        Users filters:(&(cn=*)(objectclass=person))
        GroupBaseDN:ou=People,dc=us,dc=mycompany,dc=com
        Groups filters:(&(cn=dummygroup)(|(objectclass=groupofUniqueNames)(objectclass=orcldynamicgroup)))
        Use Retrieved UserName As Principal (0 false, 1 true):0
            Use retrieved username as principal is not ticked in provider. Please review the following docid:
            OBIEE 11g: Weblogic Microsoft ADSI (Active Directory) Case Sensitivity on OPSS Application Roles (Doc ID 1299220.1)
Done getting providers list


--- Getting the system.user username configured in Enterprise manager ---
system.user is defined as:BISystemUser
Done getting system.user


--- Getting OBIEE technical users information ---
BI Technical users check for provider:DefaultAuthenticator


    weblogic found in provider:DefaultAuthenticator
    Exact case in provider:weblogic
    Member: weblogic is member of the following Groups:
        Administrators
        BIAdministrators
    Member: BIAdministrators is member of the following Groups:
        BIAuthors
    Member: BIAuthors is member of the following Groups:
        BIConsumers


    oraclesystemuser found in provider:DefaultAuthenticator
    Exact case in provider:OracleSystemUser
    Member: oraclesystemuser is member of the following Groups:
        OracleSystemGroup


    BISystemUser found in provider:DefaultAuthenticator
    Exact case in provider:BISystemUser
    Member: BISystemUser is member of the following Groups:
        Administrators
BI Technical users check for provider:OID
Done with BIEE technical Users/groups listing


--- Listing OBIEE technical roles -weblogic and opss- information ---
    Role expression for weblogic global role:Admin
Grp(Administrators)|Usr(smuser1)
    Role expression for weblogic global role:OracleSystemRole
Grp(OracleSystemGroup)


    <---- Members for opss role:BISystem
Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.
For more help, use help('domainRuntime')

[Principal Clz Name : weblogic.security.principal.WLSUserImpl, Principal Name : BISystemUser, Type : ENT_USER]
None
    ---->
    <---- Members for opss role:BIAdministrator
Already in Domain Runtime Tree

[Principal Clz Name : weblogic.security.principal.WLSGroupImpl, Principal Name : BIAdministrators, Type : ENT_ROLE]
None
    ---->
Done listing technical roles members


--- Checking SSO config ---
Location changed to domain custom tree. This is a writable tree with No root.
For more help, use help('domainCustom')

SSO is not enabled in EM
Done SSO


--- Checking bisecurity webservice deployment ---


Application: bisecurity#11.1.1 state:STATE_ACTIVE


Application: wsm-pm state:STATE_ACTIVE
-->bisecurity and wsm-pm deployments are running -> Performing bisecurity web service tests


dr--   server1

* Calling url:http://server1.mycompany.com:9704/bisecurity
GET HTML response:<html>

<head>
    <title>BI Security Service</title>
</head>

<body>
    <h1>The presence of this page indicates the BI Security Service has been successfully deployed.</h1>
</body>

</html>

Login tests to bisecurity web service url: http://server1.mycompany.com:9704/bisecurity  using BISystemUser account
Calling url:http://server1.mycompany.com:9704/bisecurity/service with user:BISystemUser
Web Service Response:<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"><env:Header/><env:Body><ns3:getAuthenticatedUserWithLanguageAndPropertiesResponse xmlns="" xmlns:ns3="http://oracle/bi/security/"><result><GUID><value>2A7A0AB053A411E3BFA56112E3E6A324</value></GUID><name>BISystemUser</name>
... ws response cut ...
e>/EssbaseCluster-1</resourceName><resourceType>oracle.essbase.server</resourceType><actions>access</actions></permissions><permissions><resourceName>/EssbaseCluster-1</resourceName><resourceType>oracle.essbase.application</resourceType><actions>use_filter</actions></permissions></result></ns3:getAuthenticatedUserWithLanguageAndPropertiesResponse></env:Body></env:Envelope>
Web service call succeeded: user:BISystemUser has guid:<GUID><value>2A7A0AB053A411E3BFA56112E3E6A324</value></GUID>

Login tests to bisecurity web service url: http://server1.mycompany.com:9704/bisecurity using weblogic account
Calling url:http://server1.mycompany.com:9704/bisecurity/service with user:weblogic
Web Service Response:<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"><env:Header/><env:Body><ns3:getAuthenticatedUserWithLanguageAndPropertiesResponse xmlns="" xmlns:ns3="http://oracle/bi/security/"><result><GUID><value>52BFE81053A311E3AF712DB8C1A98C51</value></GUID><name>weblogic</name>
... ws response cut ...
<actions>_all_</actions></permissions><permissions><resourceName>/EssbaseCluster-1</resourceName><resourceType>oracle.essbase.application</resourceType><actions>use_calculation,use_filter</actions></permissions></result></ns3:getAuthenticatedUserWithLanguageAndPropertiesResponse></env:Body></env:Envelope>
Web service call succeeded: user:weblogic has guid:<GUID><value>52BFE81053A311E3AF712DB8C1A98C51</value></GUID>


dr--   server1


Login tests to analytics weblogic url: http://server1.mycompany.com:9704/analytics using system.user account/pw:BISystemUser
Calling url:http://server1.mycompany.com:9704/analytics/saw.dll?bieehome with user:BISystemUser
Login success. Valid NQID session:ORA_BIPS_NQID=5levoka2p.......q4fsdcm1a3eoq6i204vp7ri;

Login tests to analytics weblogic url: http://server1.mycompany.com:9704/analytics  using weblogic account
Calling url:http://server1.mycompany.com:9704/analytics/saw.dll?bieehome with user:weblogic
Login success. Valid NQID session:ORA_BIPS_NQID=lh9ahsrj.......6jt9pcrvb0l7fsf73b5b32;

Login tests to analytics external FQDN url: http://server1.mycompany.com:9704/analytics using system.user account/pw:BISystemUser
Calling url:http://server1.mycompany.com:9704/analytics/saw.dll?bieehome with user:BISystemUser
Login success. Valid NQID session:ORA_BIPS_NQID=rjr2p3emgm......pk3qslkntij6p6nosaa;

Login tests to analytics external FQDN url: http://server1.mycompany.com:9704/analytics using weblogic account
Calling url:http://server1.mycompany.com:9704/analytics/saw.dll?bieehome with user:weblogic
Login success. Valid NQID session:ORA_BIPS_NQID=t3tdlcimbt4c.....fojdhd91h0fu5c7o1a;
Disconnected from weblogic server: AdminServer

Done BI Check Utility

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

A blog focused on Tips & Tricks about Oracle Business Intelligence (OBI), Oracle Exalytics and Oracle Enterprise Performance Management (EPM) products.
[Blog Admin: ahmed awan]

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
24
25
26
27
28
29
30
   
       
Today