Monday Mar 24, 2014

BI Web service security client - authentication operations for and

This wlst/python script connects to bi security web service to authenticate a user specified in the "" file. In, this calls: getAuthenticatedUserWithLanguageAndProperties operation of the /bisecurity/service web service.

In, this calls authenticate operation of the /bimiddleware/security/service web service.

This returns as part of the xml response the user unique identifier (guid) and other permissions/roles for the user. This is useful when debugging an issue with OBIEE security.

The script has to be run with %ORACLE_HOME%\oracle_common\common\bin\wlst.cmd (sh)

Script is available there:

[Read More]

Tuesday Jan 28, 2014

BI Check with WLST - SQL Datasources part 2

This second post continues with the BIEE security checks using WLST and python. This time, the following information is gathered about BISQLGroupProvider:

*  looking for SQLGroupProvider in the configured providers
*  retrieving the SQL queries
*  retrieving the JDBC source details
*  testing the connection pool, for each server that uses it (make sure your BI server is up and running)
*  testing the SQL queries directly against the database, with the test.user and provided in the file

[Read More]

Friday Jan 24, 2014

BI Check with WLST - Providers and Technical users part 1

 Checking OBIEE security configuration manually is relatively time consuming. Using WLST and Python, it is possible to automate most of these tasks. The following script performs checks on OBIEE configuration. It is the first of a 3 part series.[Read More]

Monday Oct 14, 2013

Essbase Best Practice: Essbase Security File Auto Backup Intervals

By default, Essbase will automatically backup the Essbase security file, Essbase.sec, every 300 seconds (5 minutes). Most customers find the frequency of the default backup interval overhead to be unnecessary given their security update needs. It is recommended to change the default setting before the “build” and “go-live” phases to have better Essbase.sec file backups proportionally spaced between backups and improve overhead.

[Read More]

Saturday Sep 03, 2011

EPM 11.1.2 - Exporting Security out of Hyperion Planning application

You can extract security information out planning application using the following script on Planning SQL tables,




Thursday Aug 25, 2011

I’m a customer, and I found a security vulnerability in an Oracle product, what should I do?

Open a Service Request with Oracle Support, as for any other product issue. Please do not log several vulnerabilities under one SR, as this would imply additional triage and could introduce delays. One vulnerability => One SR. Make sure to explicitly state in the SR that you consider the issue to be a security vulnerability, and attach the appropriate steps to reproduce, or a Proof or Concept.

As a simple example, a typical proof of concept for a cross site scripting vulnerability (XSS) would be the steps showing that a Javascript Alert() can be executed by an attacker on a user browser.

Oracle Support will not consider or comment about undemonstrated security vulnerabilities, or scanning software output alone, although these can be provided as additional information.

In a nutshell, the key to an efficient resolution of your issue is:

- create a SR as usual,

- visibly state “security vulnerability” in the SR,

- attach clear and unambiguous steps to reproduce.

Your issue will then be treated by a Support Analyst trained with handling security issues. The Support Analyst will help you find and apply a solution, if it already exists, or forward the SR as a bug to Oracle Development, who will issue a fix according to Oracle Policies.

Read all about Oracle Software Security Assurance here:

Friday Jul 01, 2011

EPM 11.1.2 - In Foundation Services, binder exception causing login and lockout issues with MSAD provider

Possible symptoms and errors:

  1. EPMCSS-00301: FAILED TO AUTHENICATE USER INVALID CREDENTIALS error thrown upon login into workspace even with correct credentials
  2. MSAD account gets locked after successive login failure attempts
  3. Unable to login with native "admin" and MSAD admin user

SharedServices_Security.log file shows the following,

[FoundationServices0] [ERROR] [EPMCSS-07047] [oracle.EPMCSS.CSS] [tid: 18] [userId: <anonymous>] [ecid: 0000J2MAfXF6QPP6yf7i6G1DyLC900000p,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [APP: WORKSPACE#] [SRC_METHOD: init] Failed to get connection [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db0] from connection pool for user directory <directory_name>. Error executing query. {2}. Verify user directory configuration.


AcceptSecurityContext error, data 775, v1db0” means the bind userid or the bind password for MSAD is not set correctly. This could be the reason that the account is getting locked out. The MSAD provider code is trying to initialize the msad provider with the provided user/password. After three attempts of a bad login, MSAD locks out the account.

If “admin” user is not able to login, that could be because there could be duplicate “admin” user both in MSAD and Native Directory. First it goes to MSAD and authentication fails as it is not able to get the JDNI connection and then it goes to Native Directory. It fails with Native Directory because of password mismatch.


  1. validate the MSAD bind userid and password in the MSAD configuration screen in HSS.
  2. change the password for MSAD provider and restart foundation services
  3. By: Ruben V