Configuring ODI External User Authentication

7/14/2014
Configuring ODI External User Authentication

Note: Instructions and any text that you need to modify are enclosed in <>.
This tutorial contains the following sections:
Purpose
Time to Complete
Overview
Scenario
Software and Hardware Requirements
Prerequisites
Use SQL Developer to create an RDBMS (11g)
Schema/User for a new ODI Master Repository
Edit the ODI Studio jps-config.xml File to Point to Your
External OID LDAP Server
Switch the Master Repository Authentication Mode Between
External and Internal Authentication
Edit an ODI Standalone Agent jps-config.xml File to Point to
Your External OID LDAP Server
Understand External User Authentication in a Java EE
Context
Summary
Resources
Purpose
This tutorial walks you through the steps needed to configure Oracle Data Integrator (ODI) for external user authentication.
Time to Complete
Approximately 20 minutes
Overview
Oracle Data Integrator stores all user information as well as users' privileges in the master repository by default. When a
user logs in to ODI, it logs in against the master repository. This authentication method is called Internal Authentication.
Oracle Data Integrator can optionally use Oracle Platform Security Services (OPSS), a standards-based and portable
security framework for Java applications, to authenticate its users against an external Identity Store, which contains
enterprise users and passwords. Such an identity store is used at the enterprise level by all applications, in order to have
centralized user and password definitions and Single Sign-On (SSO). In such a configuration, the ODI master repository
only contains references to these enterprise users. This authentication method is called External Authentication.
Note: When using External Authentication, only users and their passwords are externalized. ODI privileges
remain within the repository. Data servers and context passwords also remain in the master repository. It is
possible to externalize data server and context passwords, using the ODI External Password Storage
feature.
ODI can authenticate its users against a variety of external identity stores, such as Oracle Internet Directory (OID) LDAP
Server or WebLogic Server. This OBE provides a step-by-step walkthrough of the process of configuring ODI with OID
LDAP Server. The steps for configuring authentication with other external identity stores are very similar.
Note: The steps to configure ODI external user authentication are also outlined in the ODI 11g Developer's Guide.
In this tutorial, you learn how to:
http://www.oracle.com/webfolder/technetwork/tutorials/obe/fmw/odi/odi_11g/odi_external_authentication/odi_external_authentication.htm?print=preview&imgs=vis
1/20
7/14/2014
Use SQL Developer to create an RDBMS (11g) Schema/User for a new ODI Master Repository
Edit the ODI Studio jps-config.xml file to point to your external OID LDAP Server
Create a new ODI Master Repository using an authenticated user in the external OID LDAP Server
Switch the Master Repository authentication mode between external and internal authentication
Edit an ODI standalone agent jps-config.xml file to point to your external OID LDAP Server
Understand external user authentication in a Java EE context
Scenario
You work as a database administrator for Global Enterprise. In Global Enterprise, you are responsible for managing the
security of the Oracle Data Integrator development environment. Instead of relying upon the internal user authentication
available in ODI, you will establish external user authentication, taking advantage of the user accounts managed by your
company's centralized OID LDAP Server.
Software and Hardware Requirements

2/20
7/14/2014
The following is a list of software requirements:

The system should include the following installed products:
Oracle Database 11g
Oracle Data Integrator 11g Release 1
An external authentication provider such as LDAP, OID, or WLS
If not done before, start the services and components for Oracle Database 11g.
Prerequisites
Before you start the tasks, make sure that your system environment meets the following requirements:
1. You have installed Oracle Database 11g. If not done before, start the services and components for Oracle
Database 11g.
2. You have installed Oracle Data Integrator 11g Release 1.
.
You have installed an external authentication provider such as LDAP, OID, or WLS.
Use SQL Developer to create an RDBMS (11g) Schema/User for a new ODI Master
Repository
1. Start SQL Developer by selecting Start > Programs > [Oracle Datab ase home] > Application Development > SQL
Developer.
When SQL Developer opens, close the Logging Page Log tab.
2 . In SQL Developer, create a new connection.
3/20
7/14/2014
3. Name this new connection: Administrator. Enter SYSTEM for Username. Enter oracle1 for Password. For SID,
enter: ORCL. Clisk Test, and then click Connect. Click + to expand connection Administrator.
4/20
7/14/2014
4. You have to create the RDBMS schema/user (Oracle 11g) for the Master repository. The schemas can be created
by executing the following SQL commands:
create user <MY_SCHEMA> identified by <MY_PASS>
default tablespace <MY_TBS> temporary tablespace <MY_TEMP>;
grant connect, resource to <MY_SCHEMA>;
Where:
<MY_SCHEMA> corresponds to the name of the schema that you want to create
<MY_PASS> corresponds to the password that you gave
<MY_TBS> corresponds to the Oracle tablespace where the data will be stored
<MY_TEMP> corresponds to the temporary default tablespace
5/20
7/14/2014
In this example, to create the user vishal for master repository, enter the following command. Click Execute
statement icon .
create user vishal identified by vishal

default tablespace users temporary tablespace temp;
Note: In this command, vishal is the value of the password to connect to the user vishal.
Edit the ODI Studio jps-config.xml File to Point to Your External OID LDAP Server
In this example, we are going to point to an external identity store that is an OID LDAP Server. For your purposes,
use the following instructions to point to your own identity store, which might be an OID or WebLogic or other LDAP
Server.
Let's take a look at a typical OID LDAP Server, which has a user named SUPERVISOR already defined. Later, this
SUPERVISOR user will become our externally authenticated ODI user.
Oracle Directory Services Manager can be used to look at the contents of an OID LDAP Server:
Below, we see the user named SUPERVISOR. Later in this OBE, we will see how to define a new ODI Master
Repository using this externally authenticated SUPERVISOR user:
6/20
7/14/2014
1 . The configuration to connect to and use the identity store is contained in an OPSS Configuration file called jpsconfig.xmlfile. Edit the jps-config.xml file to point to your external OID LDAP Server.
Note: The following sample section from a jps-config.xml file points to an imaginary OID LDAP Server. Do not
attempt to copy this sample literally for your environment. Refer to the Oracle Fusion Middleware Security Guide for
more information on editing your jps-config.xml file.
The sample section, below, from a jps-config.xml file shows an LDAP Server section added, in which the
credentials for the LDAP Server are established:

<serviceInstance name="idstore.oid" provider="idstore.ldap.provider">
<property name="subscriber.name" value="dc=us,dc=oracle,dc=com" />
<property name="idstore.type" value="OID" />
<property name="security.principal.key" value="ldap.credential"/>
<property name="security.principal.alias" value="JPS"/>
<property name="ldap.url" value="ldap://*****PUT_YOUR_LDAP_SERVER_HERE*****" />
<extendedProperty>
<name>user.search.bases</name>
<values>
<value>cn=users,dc=us,dc=oracle,dc=com</value>
</values>
</extendedProperty>
<extendedProperty>
<name>group.search.bases</name>
<values>
<value>cn=groups,dc=us,dc=oracle,dc=com</value>
</values>
</extendedProperty>
<property name="username.attr" value="uid" />
<property name="groupname.attr" value="cn" />
7/20
7/14/2014
</serviceInstance>
Reference this service instance in the default JPS context by its name idstore.oid and also add the login module
configuration as follows:
<jpsContext name="default">
<serviceInstanceRef ref=" idstore.oid "/>
<serviceInstanceRef ref="idstore.loginmodule"/>
</jpsContext>
After editing this file to point to your external identity store, copy the file into the ODI_HOME/oracledi/client/odi/bin/
directory. The ODI Studio reads the identity store configuration and authenticates against the configured identity
store.
If you want to locate this file in a different location, edit the ODI_HOME/oracledi/client/odi/bin/odi.conf file and edit
the option that sets the location of the configuration file. This option is set in the following line:
AddVMOption -Doracle.security.jps.config=./jps-config.xml
By default, odi.confexpects jps-config.xml to reside in the same execution directory as odi.conf.
2 . Run the script to set up the credentials for idstore.oid or other LDAP in the identity store:
Navigate to where the run_credtool script resides in your environment,
perhaps <HOME>/custom/FusionLibraries/tools.
Run the run_credtool.cmd or sh script.
When the script prompts for input, defaults are shown in [].
Enter the input on the line following the prompt. The following 5 lines show you which defaults to take. In the
5th line, use the location path where your jps-config.xml file resides:
[input] Alias: [JPS]
[input] Key: [ldap.credential]
[input] User Name:cn=user name
[input] Password:password
[input] JPS Config:[ORACLE_HOME\custom\FusionLibraries\tools/../../../config/jps-config.xml]
Note:
The Alias and Key input must match the values used in the serviceInstance security.principal.alias and
security.principal.key respectively.
Again, refer to the Oracle Fusion Middleware Security Guide for more information on editing your jps-config.xml
file.
3 . Restart the WebLogic Server domain.
Create a new ODI Master Repository Referencing a User in the External OID LDAP
Server
1 . In the next few steps you create the ODI Master repository. Start Oracle Data Integrator: Start > Programs > Oracle
ODI 11g-Home> Oracle Data Integrator > ODI Studio
8/20
7/14/2014
2 . Open the New Gallery by choosing File > New. In the New Gallery, in the Categories tree, select ODI. Select from
the Items list the Master Repository Creation Wizard. Click OK. The Master Repository Creation Wizard appears.
3 . In the Master Repository Creation Wizard, select the browse icon of the JDBC Driver and then select Oracle JDBC
Driver. Click OK. Edit the JDBC URL to read:
jdbc:oracle:thin: localhost:1521:orcl
Enter the User as vishal and the Password as vishal. Click the Test Connection button and verify successful
connection. Click OK. Click Next on the Master Repository Creation Wizard screen.
9/20
7/14/2014
4 . In the Authentication window, select Use External Authentication. (If you had selected Use ODI Authentication,
you would have been using ODI's internal authentication.)
Enter Supervisor User and Supervisor Password, as they exist in your external data store; in our case, we are
specifying the user "SUPERVISOR" in our OID LDAP Server . Click Next.
Note: User names and passwords are case-sensitive in ODI.
http://www.oracle.com/webfolder/technetwork/tutorials/obe/fmw/odi/odi_11g/odi_external_authentication/odi_external_authentication.htm?print=preview&imgs=vi
10/20
7/14/2014
5 . In the Password Storage window, select Internal password Storage, and then click Finish. When the Master
Repository is successfully created, you will see the Oracle Data Integrator Information message. Click OK. The
ODI Master repository is now created.
11/20
7/14/2014
6 . You connect to the ODI Master repository by creating a new ODI Master Login. Open the New Gallery by choosing
File > New. In the New Gallery, in the Categories tree, select ODI. From the Items list, select Create a New ODI
Repository Login.
12/20
7/14/2014
7 . Configure Repository Connections with the parameters from the table provided below.
In the Oracle Data Integrator Connection section, enter the User and Password of the authenticated user in your
external store. In this example, we specify SUPERVISOR/SUNOPSIS from the OID LDAP Server.
In the Database Connection (Master Repository) section, enter the User and Password of the schema user you
created for the master repository. In this example, we specify vishal/vishal.
To enter the JDBC URL, click the button next to JDBC URL field and select jdbc:oracle:thin:@<host>:<port>:<sid>
as shown in the screenshot, then edit the URL. Select Master Repository Only button. Click Test button. Verify
successful connection and click OK. Click OK to save the connection.
Oracle Data Integrator Connection
Parameter
Value
Login Name
Master Repository
User
SUPERVISOR
Password
SUNOPSIS
Database Connection (Master Repository)

Parameter
Value
User
vishal
Password
vishal
Driver List
Oracle JDBC Driver
13/20
7/14/2014
Driver Name oracle.jdbc.OracleDriver

Url
jdbc:oracle:thin:@localhost:1521:orcl
Note: Do not copy and paste in the JDBC URL field. This may cause problems with entering a valid URL string.
Instead, open the drop-down menu and select the correct driver from the list. Type the correct URL in the URL
field.
Switch the Master Repository Authentication Mode Between External and Internal
Authentication
1. Switching the authentication mode of the Oracle Data Integrator repository changes the way users authenticate.
14/20
7/14/2014
This operation must be performed by a Supervisor user.

WARNING:
When switching from an External to Internal authentication, user passwords are not copied from the
identity store to the repository. The passwords are nullified. All the user accounts are marked as
expired and must be reactivated by a SUPERVISOR that is created during the switch.
When switching from Internal to External authentication, the users that exist in the repository and
match a user in the identity store are automatically mapped. Users that do not match a user in the
identity store are disabled. A Supervisor must edit the users so that their name has a match in the
identity store.
The context passwords are lost. Passwords for data servers, jdbc password of the work repository,
and ESS related passwords are removed from their credential store.
Use the Switch Authentication Mode wizard to change the user authentication mode.
Before launching the Switch Authentication Mode wizard perform the following tasks:
Disconnect Oracle Data Integrator Studio from the repository.
Shut down every component using the Oracle Data Integrator repository.
To use the Switch Authentication Mode wizard:
From the ODI main menu, select Switch Authentication Mode.
15/20
7/14/2014
The Switch Authentication Mode wizard appears.
2. Specify the JDBC connectivity details of your Oracle Data Integrator master repository as defined when you
connected to the Master Repository.
16/20
7/14/2014
Click Next.
3. The next action varies, depending on the current Authentication Mode in use:
If currently using Internal Authentication, you are prompted to switch to external authentication.
If currently using External Authentication, you are prompted to switch to internal authentication. You must
provide and confirm a password for the SUPERVISOR user that the wizard will automatically create in the
repository.
17/20
7/14/2014
Click Finish.
The Authentication mode is changed.
If you have switched from external to internal authentication, you can now re-connect to the Oracle Data
Integrator repository as SUPERVISOR, with the password you have provided in the wizard. Once connected,
you can edit each user to reactivate it and set a password for this user.
If you have switched from internal to external authentication, you can now re-connect to the Oracle Data
Integrator repository as one of the users with supervisor privileges, and re-enable the Oracle Data Integrator
users that have been disabled during the switch.
4. Reactivating Users After Switching to Internal Authentication
To reactivate a User:
1.
2.
3.
4.
5.
In Security Navigator expand the Users accordion.

Select the user that you want to reactivate from the list of users.
Right-click and select Edit. The User editor appears.
Un-select Allow Expiration Date.
If you want to set a password for this user, click Change Password and enter the new password for this
user.
6. From the File main menu, select Save.
7. Re-Enable Users After Switching to External Authentication.
To re-enable a User:
1.
2.
3.
4.
5.
In Security Navigator expand the Users accordion.

Select the user that you want to re-enable from the list of users.
Right-click and select Edit. The User editor appears.
In the Name field, enter a user name that matches the login of an enterprise user in the identity store.
Click Retrieve GUID. If the user name has a match in the identity store, this external user's GUID appear in
18/20
7/14/2014
the External GUID field.

6. From the File main menu, select Save.
Edit an ODI Standalone Agent jps-config.xml File to Point to Your External OID LDAP
Server
1 . A common task using ODI is to set up and install ODI agents. After the ODI scenarios are created, they can be
scheduled and orchestrated using an ODI agent, which is a lightweight Java process that orchestrates the
execution of ODI scenarios.
For standalone agents, the configuration to connect and use the external identity store is contained in a copy of the
same OPSS configuration file jps-config.xml that you used to configure the ODI Studio.
However, you need to place the copy of this file for standalone agent in a different folder. Copy this file to the
ODI_HOME/oracledi/agent/bin/ directory. The agent and the command line scripts will authenticate against the
configured identity store.
Refer to the Oracle Fusion Middleware Security Guide for more information.
2 . Edit the odiparams.sh file, entering appropriate values, such as:

ODI_MASTER_DRIVER=oracle.jdbc.driver.OracleDriver
ODI_MASTER_URL=jdbc:oracle:thin:@localhost:1521:nrdb
ODI_MASTER_USER=EAMASTER ODI_MASTER_ENCODED_PASS=gxfpqkz074jeaCpL4XSEFzxoj8E0p
ODI_SECU_WORK_REP=WORKREP1
ODI_SUPERVISOR=SUPERVISOR
ODI_SUPERVISOR_ENCODED_PASS=fJya.vR5kvNcu9TtV,jVZEt
19/20
7/14/2014
3 . To encode the password:

<ODI_HOME>/oracledi/agent/bin/encode.sh <password>
Understand External User Authentication in a Java EE Context

1 . Oracle Data Integrator components deployed in a container (Java EE Agent, Oracle Data Integrator Console) do
not require a specific configuration. They use the configuration of their container.
Refer to the Oracle Fusion Middleware Security Guide for more information on OPSS configuration in a Java EE
context.
In JRF-enabled J2EE containers (Agent in WebLogic Server [WLS]):
Configure Java Required Files (JRF) on WLS.
As soon as you configure your J2EE container (currently only WLS is supported) with JRF enabled, OPSS will
be configured for the application deployed inside.
By default, OPSS is configured to use the WLS internal LDAP Identity Store. You need to configure a new
Authenticator inside WLS if you want to use an external, central OID.
Useful resources
Introduction to Oracle Platform Security Services:
http://download.oracle.com/docs/cd/E12839_01/core.1111/e10043/underjps.htm
OPSS Configuration File Reference:
http://download.oracle.com/docs/cd/E12839_01/core.1111/e10043/apjpscfg.htm#BEHDBJED
Summary
In this tutorial, you have learned how to:
Use SQL Developer to create an RDBMS (11g) Schema/User for a new ODI Master Repository
Edit the ODI Studio jps-config.xml file to point to your external OID LDAP Server
Create a new ODI Master Repository using an authenticated user in the external OID LDAP Server
Switch the Master Repository authentication mode between external and internal authentication
Edit an ODI standalone agent jps-config.xml file to point to your external OID LDAP Server
Understand external user authentication in a Java EE context
Resources
Oracle Data Intergator 11g Documentation
To learn more about other Oracle products, refer to additional OBEs in the Learning Library.
About Oracle |Oracle and Sun |
| Careers | Contact Us | Site Maps |
Legal Notices | Terms of Use | Your Privacy Rights
20/20

Configuring ODI External User Authentication

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Configuring ODI External User Authentication

Încărcat de

Drepturi de autor:

Formate disponibile

7/14/2014