Configuring ODI External User Authentication

Note: Instructions and any text that you need to modify are enclosed in <>.

<Do not delete this text because it is a placeholder for the generated list of "main" topics when run in a browser>

Purpose

This tutorial walks you through the steps needed to configure Oracle Data Integrator (ODI) for external user authentication.

Time to Complete

Approximately 20 minutes

Overview

Oracle Data Integrator stores all user information as well as users' privileges in the master repository by default. When a user logs in to ODI, it logs in against the master repository. This authentication method is called Internal Authentication.

Oracle Data Integrator can optionally use Oracle Platform Security Services (OPSS), a standards-based and portable security framework for Java applications, to authenticate its users against an external Identity Store, which contains enterprise users and passwords. Such an identity store is used at the enterprise level by all applications, in order to have centralized user and password definitions and Single Sign-On (SSO). In such a configuration, the ODI master repository only contains references to these enterprise users. This authentication method is called External Authentication.

Note: When using External Authentication, only users and their passwords are externalized. ODI privileges remain within the repository. Data servers and context passwords also remain in the master repository. It is possible to externalize data server and context passwords, using the ODI External Password Storage feature.

ODI can authenticate its users against a variety of external identity stores, such as Oracle Internet Directory (OID) LDAP Server or WebLogic Server. This OBE provides a step-by-step walkthrough of the process of configuring ODI with OID LDAP Server. The steps for configuring authentication with other external identity stores are very similar.

Note: The steps to configure ODI external user authentication are also outlined in the ODI 11g Developer's Guide.

In this tutorial, you learn how to:

Scenario

You work as a database administrator for Global Enterprise. In Global Enterprise, you are responsible for managing the security of the Oracle Data Integrator development environment. Instead of relying upon the internal user authentication available in ODI, you will establish external user authentication, taking advantage of the user accounts managed by your company's centralized OID LDAP Server.

 

Software and Hardware Requirements

The following is a list of software requirements:

Prerequisites

Before you start the tasks, make sure that your system environment meets the following requirements:

.

You have installed Oracle Database 11g. If not done before, start the services and components for Oracle Database 11g.

.

You have installed Oracle Data Integrator 11g Release 1.

. You have installed an external authentication provider such as LDAP, OID, or WLS.

Use SQL Developer to create an RDBMS (11g) Schema/User for a new ODI Master Repository

.

Start SQL Developer by selecting Start > Programs > [Oracle Database home] > Application Development > SQL Developer.
When SQL Developer opens, close the Logging Page – Log tab.

 


.

In SQL Developer, create a new connection.



.

Name this new connection: Administrator. Enter SYSTEM for Username. Enter oracle1 for Password. For SID, enter: ORCL. Clisk Test, and then click Connect. Click “+” to expand connection Administrator.





.

You have to create the RDBMS schema/user (Oracle 11g) for the Master repository. The schemas can be created by executing the following SQL commands:

create user <MY_SCHEMA> identified by <MY_PASS>
default tablespace <MY_TBS> temporary tablespace <MY_TEMP>;
grant connect, resource to <MY_SCHEMA>;


Where:
<MY_SCHEMA> corresponds to the name of the schema that you want to create
<MY_PASS> corresponds to the password that you gave
<MY_TBS> corresponds to the Oracle tablespace where the data will be stored
<MY_TEMP> corresponds to the temporary default tablespace

In this example, to create the user vishal for master repository, enter the following command. Click Execute statement icon .

create user vishal identified by vishal
default tablespace users temporary tablespace temp;

Note: In this command, vishal is the value of the password to connect to the user vishal.


Edit the ODI Studio jps-config.xml File to Point to Your External OID LDAP Server

 

In this example, we are going to point to an external identity store that is an OID LDAP Server. For your purposes, use the following instructions to point to your own identity store, which might be an OID or WebLogic or other LDAP Server.

Let's take a look at a typical OID LDAP Server, which has a user named SUPERVISOR already defined. Later, this SUPERVISOR user will become our externally authenticated ODI user.

Oracle Directory Services Manager can be used to look at the contents of an OID LDAP Server:

Below, we see the user named SUPERVISOR. Later in this OBE, we will see how to define a new ODI Master Repository using this externally authenticated SUPERVISOR user:

 

.

The configuration to connect to and use the identity store is contained in an OPSS Configuration file called jps-config.xml file. Edit the jps-config.xml file to point to your external OID LDAP Server.

Note: The following sample section from a jps-config.xml file points to an imaginary OID LDAP Server. Do not attempt to copy this sample literally for your environment. Refer to the Oracle Fusion Middleware Security Guide for more information on editing your jps-config.xml file.

The sample section, below, from a jps-config.xml file shows an LDAP Server section added, in which the credentials for the LDAP Server are established:

<!-- JPS OID LDAP Identity Store Service Instance -->
<serviceInstance name="idstore.oid" provider="idstore.ldap.provider">
<property name="subscriber.name" value="dc=us,dc=oracle,dc=com" />
<property name="idstore.type" value="OID" />
<property name="security.principal.key" value="ldap.credential"/>
<property name="security.principal.alias" value="JPS"/>

<property name="ldap.url" value="ldap://*****PUT_YOUR_LDAP_SERVER_HERE*****" />
<extendedProperty>
<name>user.search.bases</name>
<values>
<value>cn=users,dc=us,dc=oracle,dc=com</value>
</values>
</extendedProperty>
<extendedProperty>
<name>group.search.bases</name>
<values>
<value>cn=groups,dc=us,dc=oracle,dc=com</value>
</values>
</extendedProperty>
<property name="username.attr" value="uid" />
<property name="groupname.attr" value="cn" />
</serviceInstance>

Reference this service instance in the default JPS context by its name idstore.oid and also add the login module configuration as follows:

<jpsContext name="default">
<serviceInstanceRef ref=" idstore.oid "/>
<serviceInstanceRef ref="idstore.loginmodule"/>
</jpsContext>

After editing this file to point to your external identity store, copy the file into the ODI_HOME/oracledi/client/odi/bin/ directory. The ODI Studio reads the identity store configuration and authenticates against the configured identity store.

If you want to locate this file in a different location, edit the ODI_HOME/oracledi/client/odi/bin/odi.conf file and edit the option that sets the location of the configuration file. This option is set in the following line:

AddVMOption -Doracle.security.jps.config=./jps-config.xml

By default, odi.conf expects jps-config.xml to reside in the same execution directory as odi.conf.

.

Run the script to set up the credentials for idstore.oid or other LDAP in the identity store:

  • Navigate to where the run_credtool script resides in your environment,
    perhaps <HOME>/custom/FusionLibraries/tools.
  • Run the run_credtool.cmd or sh script.
    When the script prompts for input, defaults are shown in [].
  • Enter the input on the line following the prompt. The following 5 lines show you which defaults to take. In the 5th line, use the location path where your jps-config.xml file resides:

          [input] Alias: [JPS]
          [input] Key: [ldap.credential]
          [input] User Name:cn=user name
          [input] Password:password
          [input] JPS Config:[ORACLE_HOME\custom\FusionLibraries\tools/../../../config/jps-config.xml]


    Note:
    The Alias and Key input must match the values used in the serviceInstance security.principal.alias and security.principal.key respectively.
    Again, refer to the Oracle Fusion Middleware Security Guide for more information on editing your jps-config.xml file.

.

Restart the WebLogic Server domain.


Create a new ODI Master Repository Referencing a User in the External OID LDAP Server

.

In the next few steps you create the ODI Master repository. Start Oracle Data Integrator: Start > Programs > Oracle ODI 11g-Home> Oracle Data Integrator > ODI Studio

 

.

Open the New Gallery by choosing File > New. In the New Gallery, in the Categories tree, select ODI. Select from the Items list the Master Repository Creation Wizard. Click OK. The Master Repository Creation Wizard appears.


 

.

In the Master Repository Creation Wizard, select the browse icon of the JDBC Driver and then select Oracle JDBC Driver. Click OK. Edit the JDBC URL to read:
jdbc:oracle:thin: localhost:1521:orcl
Enter the User as vishal and the Password as vishal. Click the Test Connection button and verify successful connection. Click OK. Click Next on the Master Repository Creation Wizard screen.



.

In the Authentication window, select Use External Authentication. (If you had selected Use ODI Authentication, you would have been using ODI's internal authentication.)

Enter Supervisor User and Supervisor Password, as they exist in your external data store; in our case, we are specifying the user "SUPERVISOR" in our OID LDAP Server . Click Next.

Note: User names and passwords are case-sensitive in ODI.


 

.

In the Password Storage window, select Internal password Storage, and then click Finish. When the Master Repository is successfully created, you will see the Oracle Data Integrator Information message. Click OK. The ODI Master repository is now created.


 

.

You connect to the ODI Master repository by creating a new ODI Master Login. Open the New Gallery by choosing File > New. In the New Gallery, in the Categories tree, select ODI. From the Items list, select Create a New ODI Repository Login.

 

.

Configure Repository Connections with the parameters from the table provided below.

In the Oracle Data Integrator Connection section, enter the User and Password of the authenticated user in your external store. In this example, we specify SUPERVISOR/SUNOPSIS from the OID LDAP Server.

In the Database Connection (Master Repository) section, enter the User and Password of the schema user you created for the master repository. In this example, we specify vishal/vishal.

To enter the JDBC URL, click the button next to JDBC URL field and select jdbc:oracle:thin:@<host>:<port>:<sid> as shown in the screenshot, then edit the URL. Select Master Repository Only button. Click Test button. Verify successful connection and click OK. Click OK to save the connection.

Oracle Data Integrator Connection

Parameter

Value

Login Name

Master Repository

User

SUPERVISOR

Password

SUNOPSIS

Database Connection (Master Repository)

Parameter

Value

User

vishal

Password

vishal

Driver List

Oracle JDBC Driver

Driver Name

oracle.jdbc.OracleDriver

Url

jdbc:oracle:thin:@localhost:1521:orcl

Note: Do not copy and paste in the JDBC URL field. This may cause problems with entering a valid URL string. Instead, open the drop-down menu and select the correct driver from the list. Type the correct URL in the URL field.



 


Switch the Master Repository Authentication Mode Between External and Internal Authentication

.

Switching the authentication mode of the Oracle Data Integrator repository changes the way users authenticate. This operation must be performed by a Supervisor user.

WARNING:

When switching from an External to Internal authentication, user passwords are not copied from the identity store to the repository. The passwords are nullified. All the user accounts are marked as expired and must be reactivated by a SUPERVISOR that is created during the switch.

When switching from Internal to External authentication, the users that exist in the repository and match a user in the identity store are automatically mapped. Users that do not match a user in the identity store are disabled. A Supervisor must edit the users so that their name has a match in the identity store.

The context passwords are lost. Passwords for data servers, jdbc password of the work repository, and ESS related passwords are removed from their credential store.

Use the Switch Authentication Mode wizard to change the user authentication mode.

Before launching the Switch Authentication Mode wizard perform the following tasks:

  • Disconnect Oracle Data Integrator Studio from the repository.

  • Shut down every component using the Oracle Data Integrator repository.

To use the Switch Authentication Mode wizard:

From the ODI main menu, select Switch Authentication Mode.

The Switch Authentication Mode wizard appears.

.

Specify the JDBC connectivity details of your Oracle Data Integrator master repository as defined when you connected to the Master Repository.

Click Next.

.

The next action varies, depending on the current Authentication Mode in use:

  • If currently using Internal Authentication, you are prompted to switch to external authentication.
  • If currently using External Authentication, you are prompted to switch to internal authentication. You must provide and confirm a password for the SUPERVISOR user that the wizard will automatically create in the repository.

Click Finish.

The Authentication mode is changed.

  • If you have switched from external to internal authentication, you can now re-connect to the Oracle Data Integrator repository as SUPERVISOR, with the password you have provided in the wizard. Once connected, you can edit each user to reactivate it and set a password for this user.
  • If you have switched from internal to external authentication, you can now re-connect to the Oracle Data Integrator repository as one of the users with supervisor privileges, and re-enable the Oracle Data Integrator users that have been disabled during the switch.

.

Reactivating Users After Switching to Internal Authentication

To reactivate a User:

  1. In Security Navigator expand the Users accordion.
  2. Select the user that you want to reactivate from the list of users.
  3. Right-click and select Edit. The User editor appears.
  4. Un-select Allow Expiration Date.
  5. If you want to set a password for this user, click Change Password and enter the new password for this user.
  6. From the File main menu, select Save.
  7. Re-Enable Users After Switching to External Authentication.

To re-enable a User:

  1. In Security Navigator expand the Users accordion.
  2. Select the user that you want to re-enable from the list of users.
  3. Right-click and select Edit. The User editor appears.
  4. In the Name field, enter a user name that matches the login of an enterprise user in the identity store.
  5. Click Retrieve GUID. If the user name has a match in the identity store, this external user's GUID appear in the External GUID field.
  6. From the File main menu, select Save.


Edit an ODI Standalone Agent jps-config.xml File to Point to Your External OID LDAP Server

.

A common task using ODI is to set up and install ODI agents. After the ODI scenarios are created, they can be scheduled and orchestrated using an ODI agent, which is a lightweight Java process that orchestrates the execution of ODI scenarios.

For standalone agents, the configuration to connect and use the external identity store is contained in a copy of the same OPSS configuration file jps-config.xml that you used to configure the ODI Studio.

However, you need to place the copy of this file for standalone agent in a different folder. Copy this file to the ODI_HOME/oracledi/agent/bin/ directory. The agent and the command line scripts will authenticate against the configured identity store.

Refer to the Oracle Fusion Middleware Security Guide for more information.

 

.

Edit the odiparams.sh file, entering appropriate values, such as:

ODI_MASTER_DRIVER=oracle.jdbc.driver.OracleDriver
ODI_MASTER_URL=jdbc:oracle:thin:@localhost:1521:nrdb
ODI_MASTER_USER=EAMASTER ODI_MASTER_ENCODED_PASS=gxfpqkz074jeaCpL4XSEFzxoj8E0p
ODI_SECU_WORK_REP=WORKREP1
ODI_SUPERVISOR=SUPERVISOR
ODI_SUPERVISOR_ENCODED_PASS=fJya.vR5kvNcu9TtV,jVZEt

.

To encode the password:
<ODI_HOME>/oracledi/agent/bin/encode.sh <password>


Understand External User Authentication in a Java EE Context

.

Oracle Data Integrator components deployed in a container (Java EE Agent, Oracle Data Integrator Console) do not require a specific configuration. They use the configuration of their container.

Refer to the Oracle Fusion Middleware Security Guide for more information on OPSS configuration in a Java EE context.

In JRF-enabled J2EE containers (Agent in WebLogic Server [WLS]):

  • Configure Java Required Files (JRF) on WLS.
  • As soon as you configure your J2EE container (currently only WLS is supported) with JRF enabled, OPSS will be configured for the application deployed inside.
  • By default, OPSS is configured to use the WLS internal LDAP Identity Store. You need to configure a new Authenticator inside WLS if you want to use an external, central OID.

Useful resources

 

Summary

In this tutorial, you have learned how to:

Resources

 

Hardware and Software Engineered to Work Together About Oracle |Oracle and Sun | Oracle RSS Feeds | Careers | Contact Us | Site Maps | Legal Notices | Terms of Use | Your Privacy Rights