Академический Документы
Профессиональный Документы
Культура Документы
(Cont)
After Admin Server starts go to WebLogic Admin Console and check if the Active Directory Users & Groups are
retrieved or not
This means that the WebLogic console is able to use the given AD Config details and retrieve the users and groups
from AD.
veera.raghavendra.rao@oracle.com
Page 17 of 51
Now assign either the Groups or Users from Active Directory to the Application Roles in FMW EM.
veera.raghavendra.rao@oracle.com
Page 18 of 51
veera.raghavendra.rao@oracle.com
Page 19 of 51
veera.raghavendra.rao@oracle.com
Page 20 of 51
veera.raghavendra.rao@oracle.com
Page 21 of 51
veera.raghavendra.rao@oracle.com
Page 22 of 51
veera.raghavendra.rao@oracle.com
Page 23 of 51
As per the ReadMe we have to replace these files (US_export_policy.jar and local_policy.jar) from the jce_policy-8.zip to
the both jre locations
Before replacing the files from the zip take the backup of the original files and then replace them.
The 2 Locations will be
1. The initial Java 8 that you install before installing FMW Infrastructure and OBIEE
(C:\12c\Java\jdk1.8.0_77\jre\lib\security)
And
C:\12c\Middleware\Oracle_Home\oracle_common\jdk\jre\lib\security
veera.raghavendra.rao@oracle.com
Page 24 of 51
This file contains the Kerberos configuration information necessary for the WebLogic server to locate and
communicate with the Kerberos server and must have these contents:
For RC4
veera.raghavendra.rao@oracle.com
Page 25 of 51
For AES128
For AES256
*********************************************************************************
[libdefaults]
default_realm = CEAL.ORACLE.COM
default_tkt_enctypes = RC4-HMAC
default_tgs_enctypes = RC4-HMAC
permitted_enctypes = RC4-HMAC
ticket_lifetime = 600
[realms]
CEAL.ORACLE.COM = {
kdc = 10.240.106.128
admin_server = slc01pfz.us.oracle.com
default_domain = CEAL.ORACLE.COM
}
[domain_realm]
.ceal.oracle.com = CEAL.ORACLE.COM
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
*********************************************************************************
Place this file in C:\Windows location
veera.raghavendra.rao@oracle.com
Page 26 of 51
Test if the WebLogic Server is able to find the KDC Server and able to obtain
a ticket or not:
Verify your Kerberos configuration
It is crucial at this specific point to verify that Kerberos is set up properly and that your principal and keytab are
valid. If they are not, then there is no point in going further in the process.
kinit is a utility provided with the JDK on Windows and as part of the kerberos (or kerberos-tools) package on Linux
that can be used to validate your Kerberos configuration. NB at this stage, we are just validating that the server itself
can communicate properly with the KDC, i.e. this is machine-level test, not a test of Weblogic config.
If your principal was created properly, you should be able to request a TGT (ticket Granting Ticket) from Kerberos
using that principal. If the keytab file was generated properly, then you should be able to use this file instead of the
password of your account. kinit tests both simultaneously. The syntax is
kinit k t <keytab-file> HTTP/<Weblogic_HostName>
NB in Unix/Linux, the principal name will be fully qualified in the form HTTP/<wls-server> and the syntax differs
slightly in that the V switch should be added or else it will complete silently
So, in our example scenario for Windows the synatx is:
C:\12c\Java\jdk1.8.0_77\bin\kinit k t
C:\12c\Middleware\Oracle_Home\user_projects\domains\bi\slc07czg.keytab HTTP/slc07czg.us.oracle.com
By default, on the Windows platform a cache file named <USER_HOME>\krb5cc_<USER_NAME> will be generated
and the output should be something similar to:
New ticket is stored in cache file C:\Users\aime\krb5cc_aime
And for Linux the example syntax would be
kinit V k t /scratch/12c/FMW/Oracle_Home/user_projects/domains/bi/slc07czg.keytab
HTTP/slc07czg.us.oracle.com
veera.raghavendra.rao@oracle.com
Page 27 of 51
Right now my krb5.ini file has RC4-HMAC as the encryption type and the kinit goes fine
Let us check for AES128 encryption:
Right now my krb5.ini file has AES128-CTS-HMAC-SHA1-96 as the encryption type and the kinit goes fine
Let us check for AES256 encryption:
Right now my krb5.ini file has AES256-CTS-HMAC-SHA1-96 as the encryption type and the kinit doesnt pass
For AES256 it shows no support even though the ktpass command is run fine.
The reason is because the AES256 encryption is not fully supported by Windows 2008 R2 Domain level, it works
well if the AD Domain Level is 2012.
NOTE: For OBIEE12c on Windows 2008/2012 With Active Directory at Domain Level 2008 R2 we can use
RC4 and AES128 Encryptions.
NOTE: For OBIEE12c on Windows 2008/2012 With Active Directory at Domain Level 2012 R2 we can use
RC4, AES128 and AES256 Encryptions.
If you got to this step without any error, then you have successfully configured the KDC. Otherwise, please consult
the section on troubleshooting Kerberos configuration.
veera.raghavendra.rao@oracle.com
Page 28 of 51
veera.raghavendra.rao@oracle.com
Page 29 of 51
Note that we specify just the name of the keytab file as both the keytab file and the krb5Login.conf file are in the
Weblogic domain directory. Also note the quotation marks around the principal name these are required.
Next, we need to specify the file location as a startup option in the WLS java command line:
-Djava.security.auth.login.config=krb5Login.conf
and specify the two following additional java options:
-Djavax.security.auth.useSubjectCredsOnly=false
-Djava.security.enableNegotiate=true
These settings can be specified in the Weblogic domain environment script which can be found in the bin
subdirectory under the Weblogic domain dir. So, in our example scenario, we would edit the file
%ORACLE_HOME%\user_projects\domains\bi\bin\setDomainEnv.cmd
Find the line that reads:
set JAVA_PROPERTIES=%JAVA_PROPERTIES% %EXTRA_JAVA_PROPERTIES%
and before it, insert this line:
set EXTRA_JAVA_PROPERTIES=Djava.security.auth.login.config=C:\12c\Middleware\Oracle_Home\user_projects\domains\bi\krb5Login.conf Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.krb5.realm=CEAL.ORACLE.COM Djava.security.krb5.kdc=slc01pfz.us.oracle.com -Dsun.security.krb5.debug=true Djava.security.enableNegotiate=true -Djava.security.krb5.conf=C:\Windows\krb5.ini %EXTRA_JAVA_PROPERTIES%
N.B. you will, of course, need to restart the Weblogic Admin Server and any/all Managed Servers for these settings to
take effect.
If your Weblogic server is on Linux and you were not able to place the krb5.conf file in the default location (usually
/etc/krb5 in Oracle Unbreakable Linux, but check details if you are using an alternate distribution), you also need to
specify the parameter -Djava.security.krb5.conf=<path>/krb5.conf before the %EXTRA_JAVA_PROPERTIES%.
veera.raghavendra.rao@oracle.com
Page 30 of 51
veera.raghavendra.rao@oracle.com
Page 31 of 51
Click the Reorder button, then select the tickbox next to your NegotiateIdentityAsserter (SPNEGOAsserter in our
example), then use the shuttle control to put the NegotiateIdentityAsserter second in the list behind the
ActiveDirectoryAuthenticator we configured earlier.
veera.raghavendra.rao@oracle.com
Page 32 of 51
Make a backup copy of the ear file so that you have a restore point to refer back to (and revert to) if needed
Unpack the analytics.ear file to a temporary location, using the Java jar tool. Use the command line options xvf to
extract the contents to the current working directory
(e.g. C:\12c\Java\jdk1.8.0_77\bin\jar xvf C:\12c\Middleware\Oracle_Home\bi\bifoundation\jee\analytics.ear), so
you will probably want to create a temporary directory to hold the unpacked contents and change into that directory
before running the command.
The ear contains a META-INF directory and two war files, analytics.war and analytics-ws.war
Unpack the analytics.war file to a second temporary location, it contains a default.jsp file and five top-level
directories, one of which is called WEB-INF.
veera.raghavendra.rao@oracle.com
Page 33 of 51
veera.raghavendra.rao@oracle.com
Page 34 of 51
Note that in practice, it has been observed that different platforms require slightly different formatting of the text
above.
Make sure there are no hidden characters and check the quotes are correct for your platform. In particular, it has
been noticed that cutting and pasting out of a document does not always result in a successful weblogic.xml.
The name of the role is not important, so long as it is consistent in this file and in sections we will add in the web.xml
file in the next step.
The principal name element(s) should refer to the Active Directory groups (not Application Roles) you wish to allow
access to the application. NB all BI users will need to be members of at least one of these groups.
Also, in the WEB-INF directory, you will find an existing file called web.xml. Edit web.xml and look for a section like
this:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
Replace this section with the following:
<security-constraint>
<web-resource-collection>
<web-resource-name>BI Analytics</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SSORole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<role-name>SSORole</role-name>
</security-role>
veera.raghavendra.rao@oracle.com
Page 35 of 51
The name of the role is not important, so long as it is consistent in this file and in the Weblogic.xml file.
Once you have edited both files, repackage the analytics.war file, again using the jar tool, and, in turn, repackage that
back into the analytics.ear file.
Next we need to redeploy the analytics.ear file to Weblogic so that the new security constraint will come into effect.
Log into Weblogic Admin Console and click on Deployments
veera.raghavendra.rao@oracle.com
Page 36 of 51