OBIEE 11G Architecture
OBIEE 11G Architecture is completely different from OBIEE 10.1.3.x Architecture.
OBI system logical architecture comprised a single integrated set of manageable components called the Oracle BI Domain which can be installed and configured to work together on a single host or can be clustered across multiple hots for performance and availabilty.
Note: To improve the performance in OBI Prod environment,you have to use Web server-- example-- Apache HTTP server.
1.We have two main components i) Java Components ii) System Components.
2.In Java Components -- We have J2EE applications running on weblogic server.
- Java Components mainly divided into a). Admin server. b).Managed Server.
- Each server will be dedicated to Java Virtual Machine.
- Admin server:This is nothing more than a set of J2EE applications that will help us Administering the system.
- Admin Console: An Administrative user interface that provides advanced management for weblogic.J2EE components and security.
- Fusion Middle ware Control- An administrative user interface that is used to manage the BI domain.
- JMX MBeans - Java Components that provide programmatic access for managing a BI domain.
- Manged Server: These are J2EE Applications which will help the functioning of the OBIEE system.
- BI Plugin-It routes HTTP and SOAP requests to BI Presentation services.
- BI Security - It enables the integration of OBIEE server and Fusion Middleware security platform through webservices calls.
- BI Action Services- It provides the dedicated web services that are required by the action framework and that enable an administrator to manually configure which web service directories can be browsed by users when they create actions.
- Webservices SOA: This component provides web services for objects in the OBIEE Presentation catalog,to invoke analysis,agents and conditions.
- BI Office:This component provides the integration between OBI and Microsoft Office Products.
- Two particular applications:BI Publisher(Reporting system) and RTD(Technology platform which enable the analysis of data and provides insight by using data mining algorithms and techniques in real time.
- Node Manager:Provides process management services for the Admin server and Managed Server processes.
These components are non-JEE ,which are written in C++ and J2SE.These enable server process of Oracle Business Intelligence,including OPMN(Oracle Process Manager and Notification Server) maintains the Oracle Business Intelligence system components processes.
1.Oracle BI Server:This component provides the query and data access capabilities for semantic model layer(RPD).
2.Oracle BI Presentation Services:This component provides the framework and interface for the Business Intelligence data to web clients.
3.Oracle BI Scheduler:This component provides the scheduling for the reports to users at specified times.
4.Oracle BI JavaHost:This component provides component services that enable OBI Presenation services to support various services such as java tasks for Oracle BI Scheduler,OBI Publisher and graph generation.
5.Oracle BI Cluster Controller:This component send the requests to BI Server and ensuring requests are evenly load-balanced across all the BI server process instances in the BI Domain.
-------------------------------------------------------------------------------------------------------------------------
OBIEE11G SECURITY:
•Security in OBIEE11G is tightly integrated with Oracle Fusion Middleware Security Architecture.
•By default,an OBI Installtion is configured with an Authentication provider that uses the Oracle Weblogic Server embedded LDAP Server for user and group information.
•OBI default policy store provider and credential store provider store credentials,application roles and application polices in files in the domain.
•Authentication:Default Authentication provider accesses user and group information that is stored in LDAP server that is embedded in weblogic server domain for Oracle Business Intelligence.
•Authorization:After user has been authenticated,the next critical step is to ensure that the user can do and see what they are authorized to do and see.Authorization is controlled by security policy in terms of Application roles.
•Application Roles:OBI uses a role-based access control model.Security is defined in terms of application roles that are assigned to directory server groups and users.For example:Default Application Roles --BIAdminsitartor,BIConsumer and BIAuthor.Application role represents a functional role that a user has,which gives that user the privileges required to perform that role.For example:SalesAnalyst Application role might grant a user access to view,edit and create reports.
The group named BIAuthors contains User4 and User5 .Users in the group BIAuthors are assigned the application role BIAuthors,which enables to create reports.
The groups named BIAdministrators contains User6 and User7.Users in the group BIAdministrators are assigned the application role BIAdministrator,which enables the users to manage responsibilties.
Security Policy:Policy is divided into 1.OBI Presentation Services 2.Repository and 3.Policy store.
1.OBI Presentation Services: Catalog objects and OBI Presentation services functionality can be accessed by which users with specific application roles.
Access to Functionality is defined in the Managing Privilges page interms of OBI Presentation Services privileges and access to OBI Presenation catalog objects is defined in the Permission dialog.
2.Repository:Metadata items within Repository accessed by which Application roles and users.
3.Policy Store:This defines which BI Server,Oracle BI Publisher,Oracle Real-Time decisions functionality can be accessed by given users or users with application roles.
Configure Security in OBIEE:
1.Using Oracle WebLogic Server Admin Console.
2.Using Fusion Middleware Control.
3.Using Oracle BI Admin Tool.
4.Using Presentation Services.
- Creating a new user in Oracle Weblogic Server.
2.In Oracle Weblogic Server Admin Console,select security realms from left hand side and click realm.
3.Select Users and Groups tab,then Users.Click New.
In the Create a new user page provide the following information:
1.Name and description.
2.Select the provider from the list that corresponds to the identity store where the user information is contained.
DefaultAuthenticator is the name for the default authetication provider.
Password - Enter a password for the user that is atleast 8 char long.
Confirm password.
- To create a group in the embedded weblogic LDAP Server.
1.Launch Oracle Weblogic Server Admin Console.
2.Select Security Realms from the left pane and click the realm you are configuring.For example-myrealm.
3.Select users and groups tab,then groups.Click New.
4.In the create a new group page provide the following information.
5.Give the name and description.
6.Select the authentication provider from the list corresponds to the identity store where the group information is contained.DefaultAuthenticator is the name for the default authentication provider and click ok.
Assigning a user to a group in the embedded weblogic LDAP Server.
1.Launch Oracle WLS Admin console.
2.In Oracle WLS Admin console,select Security Realms from the left pane and click the realm you are configuring.
3.Select Users and Groups tab,then users.
4.In the users table,select the user you want to add to a group.
5.Select the groups tab.
6.Select a group or groups from the available list box.
7.Click save Ok.
Assigning a user to a group in the embedded weblogic LDAP Server.
2.In Oracle WLS Admin console,select Security Realms from the left pane and click the realm you are configuring.
3.Select Users and Groups tab,then users.
4.In the users table,select the user you want to add to a group.
5.Select the groups tab.
6.Select a group or groups from the available list box.
7.Click save Ok.
----------------------------------------
Four Places we have to look into for security OBIEE11G.
1.Using Oracle Weblogic Server Admin Console:
1.Oracle Weblogic server Admin console to manage the default weblogic LDAP server that is used to authenticate users and groups.
2.Oracle weblogic server is automatically installed and serves as the default admin server.
3.OWLSR is browser based and used to manage the embedded directory server that is configured as the default authenticator.
4.URL of weblogic -- http://<hostname:port_number>/console. Port number is same as used for the Admin Server:7001 is the default port.
5.Login in WLSR with same user name and pwd,which you have given while installtion of OBIEE11G.
6.Use tabs and option in the domain structure as required to configure users,groups and other options.
----------------------------------------------
2.Using Oracle Fusion Middleware Control:
1.Fusion Middleware Control is a web browser-based graphical user interface that enabls you to administer a collection of components called a farm.
A farm contains Oracle Weblogic Server domains,one Administration server,one or more managed servers,clusters and Oracle Fusion Middleware Components that are installed,configured and running in the domain
2.During installtion on weblogic server domain is created and Oracle Business Intelligence is installed into that domain.The domain is named bifoundation_domain in simple installation,and is found under the weblogic domain folder in the fusion middleware control navigation pane.
3.Mange application roles and application polices that control access to oracle business inetlligence resources.
4.Manage SSO and SSL.
5.Configuer multiple authentication providers for OBI.
6.To login Fusion Middleware Control,open a web browser and enter the Fusion Middleware Control URL:
http://<hostname:port>/em
The port number is the number of the Admin server and default port number is 7001.
7.Login to Fusin Middleware Control,enter the system administrator user name and pwd of the same used in the installation process.
8.From the farm main page,expand the Business Intelligence Folder.
9.Select coreapplication to display pages specific to OBI.
10.Manage OBI security using Fusion Middleware Control as follows: 1.Manage Application roles and application policies 2.Configure SSO 3.Configure SSL.
------------------------------
3.Using OBI Admin Tool:
1.Login into Admin Tool.
2.Select Manage,then identity to display the identity manager dialog.
Shows the identity dialog and installed application roles BIAdministrator, BIAuthor and BIConsumer.
3.If you double click on application role to display the Application role dialog,then click permission,you can use the Object permissions tab to view or configure in the repository Read and write permissions for that application role.
4.Close Identity manager.
5.In the Presentation pane,expand a folder,then right-click an object to display the Presenatation table dialog.
6.Click permissions to display the permissions table name dialog.
---------------------------------------------
4.Using Presentation Services Admin:
1.To use Presentation services Admin page.
2.Login in to OBI with Admin Privileges and select the Admin Link to display the Admin page.
3.Manage Privilges link.
4.Select a link for a particular privilege to display the privilege dialog.
5.Click Add users and roles icon to display the add application roles,catalog groups and users dialog.
Steps for setting up security in OBI:
1.Embedded Weblogic LDAP server is default embedded weblogic LDAP server as the authentication provider.
1.Set up the users that you want to deploy ..Creating a new user in the embedded weblogic LDAP server.
2.If you want to assign users to default groups.
3.If you want to create new groups,set up the groups that you want to use.
4.Assign your users to appropriate groups.
5.Setup the application roles that you want to deploy in Fusion Middleware Control.
6.Assign each group to an appropriate application role,as follows:
1.If you are using the default groups(BIConsumers,BIAuthors and BIAdministrators) that are installed with the default embedded weblogic LDAP server,then these groups are assigned to an appropriate application role.
7.Tune the permissions that users and groups have in the presentation services admin page to change the permissions.
8.If you want to deploy SSO,Enabling SSO Authentication.
9.Deploy SSL --Secure sockets Layer.
-------------------------------------
Comparing OBIEE10G AND OBIEE11G SECURITY MODELS:
1.Defining users and groups -- In OBIEE 10G users and groups could be defined within a rpd file using OBI Admin Tool.
2.In Obi 11g Users and groups can no longer be defined within a repository.
3.OBIEE Upgrade Assistant migrates users and groups from a Release 10g rpd into embedded LDAP server in OBIEE 11g Installation.
4.Defining security policies - In OBI 10G security policis in OBI Presentation catalog and rpd could be defined to reference groups within a directory.
In OBI relaese 11g A level of indirection is introduced whereby security policies are defined in terms of application roles,which are in turn are assigned to users and groups in a directory.
indrection allows an OBI Release 11g system to be deployed without changes to the corporate directory and eases movement of artifacts between development,test and production environments.
5.Use of Administartor User-- In an OBI 10g installation, a special user named Administrator has full adminsitrative permisions and is also used to establish trust between processes with in that installtion.
In OBIEE11G,there is no Admin user,there are some default users having admin functions.
6.In rpd encryption -In OBIEE 10G certain sensitive elements within a rpd are encrypted.In OBIEE11G entire rpd is encrypted using a key derived from a user supplied password.
7.BI Server Init blocks are supports in OBIEE 11G for authentication and authorization as in OBIEE10G.
8.Catalog groups supports to OBI Presentation catalog.These groups are only visible within OBI Presentation services.
9.OBI 11G supports SA System Subject Area in combination with the BI Server Init blocks,to access user,group and profile information stored in database tables.
----------------------------------------------------------------------------------Four Places we have to look into for security OBIEE11G.
1.Using Oracle Weblogic Server Admin Console:
1.Oracle Weblogic server Admin console to manage the default weblogic LDAP server that is used to authenticate users and groups.
2.Oracle weblogic server is automatically installed and serves as the default admin server.
3.OWLSR is browser based and used to manage the embedded directory server that is configured as the default authenticator.
4.URL of weblogic -- http://<hostname:port_number>/console. Port number is same as used for the Admin Server:7001 is the default port.
5.Login in WLSR with same user name and pwd,which you have given while installtion of OBIEE11G.
6.Use tabs and option in the domain structure as required to configure users,groups and other options.
----------------------------------------------
2.Using Oracle Fusion Middleware Control:
1.Fusion Middleware Control is a web browser-based graphical user interface that enabls you to administer a collection of components called a farm.
A farm contains Oracle Weblogic Server domains,one Administration server,one or more managed servers,clusters and Oracle Fusion Middleware Components that are installed,configured and running in the domain
2.During installtion on weblogic server domain is created and Oracle Business Intelligence is installed into that domain.The domain is named bifoundation_domain in simple installation,and is found under the weblogic domain folder in the fusion middleware control navigation pane.
3.Mange application roles and application polices that control access to oracle business inetlligence resources.
4.Manage SSO and SSL.
5.Configuer multiple authentication providers for OBI.
6.To login Fusion Middleware Control,open a web browser and enter the Fusion Middleware Control URL:
http://<hostname:port>/em
The port number is the number of the Admin server and default port number is 7001.
7.Login to Fusin Middleware Control,enter the system administrator user name and pwd of the same used in the installation process.
8.From the farm main page,expand the Business Intelligence Folder.
9.Select coreapplication to display pages specific to OBI.
10.Manage OBI security using Fusion Middleware Control as follows: 1.Manage Application roles and application policies 2.Configure SSO 3.Configure SSL.
------------------------------
3.Using OBI Admin Tool:
1.Login into Admin Tool.
2.Select Manage,then identity to display the identity manager dialog.
Shows the identity dialog and installed application roles BIAdministrator, BIAuthor and BIConsumer.
3.If you double click on application role to display the Application role dialog,then click permission,you can use the Object permissions tab to view or configure in the repository Read and write permissions for that application role.
4.Close Identity manager.
5.In the Presentation pane,expand a folder,then right-click an object to display the Presenatation table dialog.
6.Click permissions to display the permissions table name dialog.
---------------------------------------------
4.Using Presentation Services Admin:
1.To use Presentation services Admin page.
2.Login in to OBI with Admin Privileges and select the Admin Link to display the Admin page.
3.Manage Privilges link.
4.Select a link for a particular privilege to display the privilege dialog.
5.Click Add users and roles icon to display the add application roles,catalog groups and users dialog.
Steps for setting up security in OBI:
1.Embedded Weblogic LDAP server is default embedded weblogic LDAP server as the authentication provider.
1.Set up the users that you want to deploy ..Creating a new user in the embedded weblogic LDAP server.
2.If you want to assign users to default groups.
3.If you want to create new groups,set up the groups that you want to use.
4.Assign your users to appropriate groups.
5.Setup the application roles that you want to deploy in Fusion Middleware Control.
6.Assign each group to an appropriate application role,as follows:
1.If you are using the default groups(BIConsumers,BIAuthors and BIAdministrators) that are installed with the default embedded weblogic LDAP server,then these groups are assigned to an appropriate application role.
7.Tune the permissions that users and groups have in the presentation services admin page to change the permissions.
8.If you want to deploy SSO,Enabling SSO Authentication.
9.Deploy SSL --Secure sockets Layer.
-------------------------------------
Comparing OBIEE10G AND OBIEE11G SECURITY MODELS:
1.Defining users and groups -- In OBIEE 10G users and groups could be defined within a rpd file using OBI Admin Tool.
2.In Obi 11g Users and groups can no longer be defined within a repository.
3.OBIEE Upgrade Assistant migrates users and groups from a Release 10g rpd into embedded LDAP server in OBIEE 11g Installation.
4.Defining security policies - In OBI 10G security policis in OBI Presentation catalog and rpd could be defined to reference groups within a directory.
In OBI relaese 11g A level of indirection is introduced whereby security policies are defined in terms of application roles,which are in turn are assigned to users and groups in a directory.
indrection allows an OBI Release 11g system to be deployed without changes to the corporate directory and eases movement of artifacts between development,test and production environments.
5.Use of Administartor User-- In an OBI 10g installation, a special user named Administrator has full adminsitrative permisions and is also used to establish trust between processes with in that installtion.
In OBIEE11G,there is no Admin user,there are some default users having admin functions.
6.In rpd encryption -In OBIEE 10G certain sensitive elements within a rpd are encrypted.In OBIEE11G entire rpd is encrypted using a key derived from a user supplied password.
7.BI Server Init blocks are supports in OBIEE 11G for authentication and authorization as in OBIEE10G.
8.Catalog groups supports to OBI Presentation catalog.These groups are only visible within OBI Presentation services.
9.OBI 11G supports SA System Subject Area in combination with the BI Server Init blocks,to access user,group and profile information stored in database tables.
Steps for OBIEE 11G Installation In Windows7(64 bit) OS:
Requirements: OS -Windows 7 (64bit) Enterprise/Professional Version but not Home Edition.
Min 4GB RAM and Hard disk should be greater than 120GB.
1.Go to oracle cloud for download of the latest software OBIEE11G downloads.
2.URL for cloud oracle -- https://edelivery.oracle.com/.
3.Select Business Intelligence as the Product Pack and Platform as Microsoft Windows x64(64bit).
4.Select Oracle Business Intelligence 11g media pack for Microsoft Windows x64(64-bit).
5.We have to download five software downloads,out of five--one is Repository Creation Utility download and remaining all are Disk1 of 1,Disk2of1 and Disk 2of 1,Disk2of2.
6.Make Unzip all the disks in to single folder.
7.Unzip of Repository Creation Utility,You will find executive file in the path -- rcuHome-->BIN-->rcu.bat file and Run this rcu.bat file.
8.In connection window --you should give the user,which should have SYSADM privileges access to install RCU.
9.While installing --It will create metadata for -DEV_BIPLATFORM and DEV_MDS.
We have to give password for DEV_BIPLATFORM schema.
Note: Remember this password and give the same password while installing OBIEE11G.
10.Now install OBIEE 11G,You will find the install file in disk1 and while runing the install file for simple install.
11.It will ask you for Middleware Home path,Just name the Home,you can select Middleware Home path in selected drive C.
12.Give the password for the Weblogic Admin URL/OBIEE Analytics URL/Enterprise Manager URL logins.Note -Remember the password,It is same for all logins.
13.Now give the connection details -- by giving Hostname:port:service name- like- localhost:1521:orcl. and give DEV_BIPLATFORM password for DEV_BIPLATFORM schema,which you have given the password while installing RCU.
14.It will take about 1.30 hour for installation.
15.You will automatically see OBIEE URL and you can see all URLS like BI Publisher,Weblogic Admin and Enterprise Manager in the last stage of the installations of OBIEE11G.
obiee training in Hyderabad
ReplyDeletewe are offering best Obiee online training with work support and job assistance and high quality training facilities and well expert faculty
for other details and register your demo contact
obiee training in hyderabad
Institute : Vguru Online Trainings
Contact number: +91-9885681705
Email Id: vguruonline@gmail.com
please keep update like this excellent article. thank you for sharing OBIEE Training in Hyderabad
ReplyDelete