ConfiguringODIExternalUserAuthentication

Note:Instructionsandanytextthatyouneedtomodifyareenclosedin<>.
Thistutorialcontainsthefollowingsections:
Purpose
TimetoComplete
Overview
Scenario
SoftwareandHardwareRequirements
Prerequisites
UseSQLDevelopertocreateanRDBMS(11g)
Schema/UserforanewODIMasterRepository
EdittheODIStudiojpsconfig.xmlFiletoPointtoYour
ExternalOIDLDAPServer
SwitchtheMasterRepositoryAuthenticationModeBetween
ExternalandInternalAuthentication
EditanODIStandaloneAgentjpsconfig.xmlFiletoPointto
YourExternalOIDLDAPServer
UnderstandExternalUserAuthenticationinaJavaEE
Context
Summary
Resources

Purpose
ThistutorialwalksyouthroughthestepsneededtoconfigureOracleDataIntegrator(ODI)forexternaluserauthentication.

TimetoComplete
Approximately20minutes

Overview
OracleDataIntegratorstoresalluserinformationaswellasusers'privilegesinthemasterrepositorybydefault.Whena
userlogsintoODI,itlogsinagainstthemasterrepository.ThisauthenticationmethodiscalledInternalAuthentication.
OracleDataIntegratorcanoptionallyuseOraclePlatformSecurityServices(OPSS),astandardsbasedandportable
securityframeworkforJavaapplications,toauthenticateitsusersagainstanexternalIdentityStore,whichcontains
enterpriseusersandpasswords.Suchanidentitystoreisusedattheenterpriselevelbyallapplications,inordertohave
centralizeduserandpassworddefinitionsandSingleSignOn(SSO).Insuchaconfiguration,theODImasterrepository
onlycontainsreferencestotheseenterpriseusers.ThisauthenticationmethodiscalledExternalAuthentication.
Note:WhenusingExternalAuthentication,onlyusersandtheirpasswordsareexternalized.ODIprivileges
remainwithintherepository.Dataserversandcontextpasswordsalsoremaininthemasterrepository.Itis
possibletoexternalizedataserverandcontextpasswords,usingtheODIExternalPasswordStorage
feature.
ODIcanauthenticateitsusersagainstavarietyofexternalidentitystores,suchasOracleInternetDirectory(OID)LDAP
ServerorWebLogicServer.ThisOBEprovidesastepbystepwalkthroughoftheprocessofconfiguringODIwithOID
LDAPServer.Thestepsforconfiguringauthenticationwithotherexternalidentitystoresareverysimilar.
Note:ThestepstoconfigureODIexternaluserauthenticationarealsooutlinedintheODI11gDeveloper'sGuide.
Inthistutorial,youlearnhowto:
UseSQLDevelopertocreateanRDBMS(11g)Schema/UserforanewODIMasterRepository
EdittheODIStudiojpsconfig.xmlfiletopointtoyourexternalOIDLDAPServer
CreateanewODIMasterRepositoryusinganauthenticateduserintheexternalOIDLDAPServer
SwitchtheMasterRepositoryauthenticationmodebetweenexternalandinternalauthentication
EditanODIstandaloneagentjpsconfig.xmlfiletopointtoyourexternalOIDLDAPServer
UnderstandexternaluserauthenticationinaJavaEEcontext

Scenario
YouworkasadatabaseadministratorforGlobalEnterprise.InGlobalEnterprise,youareresponsibleformanagingthe
securityoftheOracleDataIntegratordevelopmentenvironment.Insteadofrelyingupontheinternaluserauthentication
availableinODI,youwillestablishexternaluserauthentication,takingadvantageoftheuseraccountsmanagedbyyour
company'scentralizedOIDLDAPServer.

SoftwareandHardwareRequirements
Thefollowingisalistofsoftwarerequirements:
Thesystemshouldincludethefollowinginstalledproducts:
OracleDatabase11g
OracleDataIntegrator11gRelease1
AnexternalauthenticationprovidersuchasLDAP,OID,orWLS
Ifnotdonebefore,starttheservicesandcomponentsforOracleDatabase11g.

Prerequisites
Beforeyoustartthetasks,makesurethatyoursystemenvironmentmeetsthefollowingrequirements:

1. YouhaveinstalledOracleDatabase11g.Ifnotdonebefore,starttheservicesandcomponentsforOracle
Database11g.
2. YouhaveinstalledOracleDataIntegrator11gRelease1.
.

YouhaveinstalledanexternalauthenticationprovidersuchasLDAP,OID,orWLS.

UseSQLDevelopertocreateanRDBMS(11g)Schema/UserforanewODIMaster
Repository
1. StartSQLDeveloperbyselectingStart>Programs>[OracleDatab asehome]>ApplicationDevelopment>SQL
Developer.
WhenSQLDeveloperopens,closetheLoggingPageLogtab.

2. InSQLDeveloper,createanewconnection.

3. Namethisnewconnection:Administrator.EnterSYSTEMforUsername.Enteroracle1forPassword.ForSID,
enter:ORCL.CliskTest,andthenclickConnect.Click+toexpandconnectionAdministrator.

4. YouhavetocreatetheRDBMSschema/user(Oracle11g)fortheMasterrepository.Theschemascanbecreated
byexecutingthefollowingSQLcommands:
createuser<MY_SCHEMA>identifiedby<MY_PASS>
defaulttablespace<MY_TBS>temporarytablespace<MY_TEMP>
grantconnect,resourceto<MY_SCHEMA>
Where:
<MY_SCHEMA>correspondstothenameoftheschemathatyouwanttocreate
<MY_PASS>correspondstothepasswordthatyougave
<MY_TBS>correspondstotheOracletablespacewherethedatawillbestored
<MY_TEMP>correspondstothetemporarydefaulttablespace
Inthisexample,tocreatetheuservishalformasterrepository,enterthefollowingcommand.ClickExecute
statementicon.

createuservishalidentifiedbyvishal
defaulttablespaceuserstemporarytablespacetemp

Note:Inthiscommand,vishalisthevalueofthepasswordtoconnecttotheuservishal.

EdittheODIStudiojpsconfig.xmlFiletoPointtoYourExternalOIDLDAPServer

Inthisexample,wearegoingtopointtoanexternalidentitystorethatisanOIDLDAPServer.Foryourpurposes,
usethefollowinginstructionstopointtoyourownidentitystore,whichmightbeanOIDorWebLogicorotherLDAP
Server.
Let'stakealookatatypicalOIDLDAPServer,whichhasausernamedSUPERVISORalreadydefined.Later,this
SUPERVISORuserwillbecomeourexternallyauthenticatedODIuser.
OracleDirectoryServicesManagercanbeusedtolookatthecontentsofanOIDLDAPServer:

Below,weseetheusernamedSUPERVISOR.LaterinthisOBE,wewillseehowtodefineanewODIMaster
RepositoryusingthisexternallyauthenticatedSUPERVISORuser:

1. TheconfigurationtoconnecttoandusetheidentitystoreiscontainedinanOPSSConfigurationfilecalledjps
config.xmlfile.Editthejpsconfig.xmlfiletopointtoyourexternalOIDLDAPServer.
Note:Thefollowingsamplesectionfromajpsconfig.xmlfilepointstoanimaginaryOIDLDAPServer.Donot
attempttocopythissampleliterallyforyourenvironment.RefertotheOracleFusionMiddlewareSecurityGuidefor
moreinformationoneditingyourjpsconfig.xmlfile.
Thesamplesection,below,fromajpsconfig.xmlfileshowsanLDAPServersectionadded,inwhichthe
credentialsfortheLDAPServerareestablished:

<!JPSOIDLDAPIdentityStoreServiceInstance>
<serviceInstancename="idstore.oid"provider="idstore.ldap.provider">
<propertyname="subscriber.name"value="dc=us,dc=oracle,dc=com"/>
<propertyname="idstore.type"value="OID"/>
<propertyname="security.principal.key"value="ldap.credential"/>
<propertyname="security.principal.alias"value="JPS"/>
<propertyname="ldap.url"value="ldap://*****PUT_YOUR_LDAP_SERVER_HERE*****"/>
<extendedProperty>
<name>user.search.bases</name>
<values>
<value>cn=users,dc=us,dc=oracle,dc=com</value>
</values>
</extendedProperty>
<extendedProperty>
<name>group.search.bases</name>
<values>
<value>cn=groups,dc=us,dc=oracle,dc=com</value>
</values>
</extendedProperty>
<propertyname="username.attr"value="uid"/>
<propertyname="groupname.attr"value="cn"/>
</serviceInstance>
ReferencethisserviceinstanceinthedefaultJPScontextbyitsnameidstore.oidandalsoaddtheloginmodule
configurationasfollows:
<jpsContextname="default">
<serviceInstanceRefref="idstore.oid"/>
<serviceInstanceRefref="idstore.loginmodule"/>
</jpsContext>
Aftereditingthisfiletopointtoyourexternalidentitystore,copythefileintotheODI_HOME/oracledi/client/odi/bin/
directory.TheODIStudioreadstheidentitystoreconfigurationandauthenticatesagainsttheconfiguredidentity
store.
Ifyouwanttolocatethisfileinadifferentlocation,edittheODI_HOME/oracledi/client/odi/bin/odi.conffileandedit
theoptionthatsetsthelocationoftheconfigurationfile.Thisoptionissetinthefollowingline:
AddVMOptionDoracle.security.jps.config=./jpsconfig.xml
Bydefault,odi.confexpectsjpsconfig.xmltoresideinthesameexecutiondirectoryasodi.conf.
2. Runthescripttosetupthecredentialsforidstore.oidorotherLDAPintheidentitystore:
Navigatetowheretherun_credtoolscriptresidesinyourenvironment,
perhaps<HOME>/custom/FusionLibraries/tools.
Runtherun_credtool.cmdorshscript.
Whenthescriptpromptsforinput,defaultsareshownin[].
Entertheinputonthelinefollowingtheprompt.Thefollowing5linesshowyouwhichdefaultstotake.Inthe
5thline,usethelocationpathwhereyourjpsconfig.xmlfileresides:
[input]Alias:[JPS]
[input]Key:[ldap.credential]
[input]UserName:cn=username
[input]Password:password
[input]JPSConfig:[ORACLE_HOME\custom\FusionLibraries\tools/../../../config/jpsconfig.xml]
Note:
TheAliasandKeyinputmustmatchthevaluesusedintheserviceInstancesecurity.principal.aliasand
security.principal.keyrespectively.
Again,refertotheOracleFusionMiddlewareSecurityGuideformoreinformationoneditingyourjpsconfig.xml
file.
3. RestarttheWebLogicServerdomain.

CreateanewODIMasterRepositoryReferencingaUserintheExternalOIDLDAP
Server
1. InthenextfewstepsyoucreatetheODIMasterrepository.StartOracleDataIntegrator:Start>Programs>Oracle
ODI11gHome>OracleDataIntegrator>ODIStudio

2. OpentheNewGallerybychoosingFile>New.IntheNewGallery,intheCategoriestree,selectODI.Selectfrom
theItemslisttheMasterRepositoryCreationWizard.ClickOK.TheMasterRepositoryCreationWizardappears.

3. IntheMasterRepositoryCreationWizard,selectthebrowseiconoftheJDBCDriverandthenselectOracleJDBC
Driver.ClickOK.EdittheJDBCURLtoread:
jdbc:oracle:thin:localhost:1521:orcl
EntertheUserasvishalandthePasswordasvishal.ClicktheTestConnectionbuttonandverifysuccessful
connection.ClickOK.ClickNextontheMasterRepositoryCreationWizardscreen.

4. IntheAuthenticationwindow,selectUseExternalAuthentication.(IfyouhadselectedUseODIAuthentication,
youwouldhavebeenusingODI'sinternalauthentication.)
EnterSupervisorUserandSupervisorPassword,astheyexistinyourexternaldatastoreinourcase,weare
specifyingtheuser"SUPERVISOR"inourOIDLDAPServer.ClickNext.
Note:UsernamesandpasswordsarecasesensitiveinODI.


5. InthePasswordStoragewindow,selectInternalpasswordStorage,andthenclickFinish.WhentheMaster
Repositoryissuccessfullycreated,youwillseetheOracleDataIntegratorInformationmessage.ClickOK.The
ODIMasterrepositoryisnowcreated.

6. YouconnecttotheODIMasterrepositorybycreatinganewODIMasterLogin.OpentheNewGallerybychoosing
File>New.IntheNewGallery,intheCategoriestree,selectODI.FromtheItemslist,selectCreateaNewODI
RepositoryLogin.

7. ConfigureRepositoryConnectionswiththeparametersfromthetableprovidedbelow.
IntheOracleDataIntegratorConnectionsection,entertheUserandPasswordoftheauthenticateduserinyour
externalstore.Inthisexample,wespecifySUPERVISOR/SUNOPSISfromtheOIDLDAPServer.
IntheDatabaseConnection(MasterRepository)section,entertheUserandPasswordoftheschemauseryou
createdforthemasterrepository.Inthisexample,wespecifyvishal/vishal.
ToentertheJDBCURL,clickthebuttonnexttoJDBCURLfieldandselectjdbc:oracle:thin:@<host>:<port>:<sid>
asshowninthescreenshot,thenedittheURL.SelectMasterRepositoryOnlybutton.ClickTestbutton.Verify
successfulconnectionandclickOK.ClickOKtosavetheconnection.
OracleDataIntegratorConnection
Parameter

Value

LoginName

MasterRepository

User

SUPERVISOR

Password

SUNOPSIS

DatabaseConnection(MasterRepository)

Parameter

Value

User

vishal

Password

vishal

DriverList

OracleJDBCDriver

DriverName oracle.jdbc.OracleDriver
Url

jdbc:oracle:thin:@localhost:1521:orcl

Note:DonotcopyandpasteintheJDBCURLfield.ThismaycauseproblemswithenteringavalidURLstring.
Instead,openthedropdownmenuandselectthecorrectdriverfromthelist.TypethecorrectURLintheURL
field.

SwitchtheMasterRepositoryAuthenticationModeBetweenExternalandInternal
Authentication
1. SwitchingtheauthenticationmodeoftheOracleDataIntegratorrepositorychangesthewayusersauthenticate.
ThisoperationmustbeperformedbyaSupervisoruser.
WARNING:
WhenswitchingfromanExternaltoInternalauthentication,userpasswordsarenotcopiedfromthe
identitystoretotherepository.Thepasswordsarenullified.Alltheuseraccountsaremarkedas
expiredandmustbereactivatedbyaSUPERVISORthatiscreatedduringtheswitch.
WhenswitchingfromInternaltoExternalauthentication,theusersthatexistintherepositoryand
matchauserintheidentitystoreareautomaticallymapped.Usersthatdonotmatchauserinthe
identitystorearedisabled.ASupervisormustedittheuserssothattheirnamehasamatchinthe
identitystore.
Thecontextpasswordsarelost.Passwordsfordataservers,jdbcpasswordoftheworkrepository,
andESSrelatedpasswordsareremovedfromtheircredentialstore.
UsetheSwitchAuthenticationModewizardtochangetheuserauthenticationmode.
BeforelaunchingtheSwitchAuthenticationModewizardperformthefollowingtasks:
DisconnectOracleDataIntegratorStudiofromtherepository.
ShutdowneverycomponentusingtheOracleDataIntegratorrepository.
TousetheSwitchAuthenticationModewizard:
FromtheODImainmenu,selectSwitchAuthenticationMode.

TheSwitchAuthenticationModewizardappears.

2. SpecifytheJDBCconnectivitydetailsofyourOracleDataIntegratormasterrepositoryasdefinedwhenyou
connectedtotheMasterRepository.

ClickNext.

3. Thenextactionvaries,dependingonthecurrentAuthenticationModeinuse:
IfcurrentlyusingInternalAuthentication,youarepromptedtoswitchtoexternalauthentication.
IfcurrentlyusingExternalAuthentication,youarepromptedtoswitchtointernalauthentication.Youmust
provideandconfirmapasswordfortheSUPERVISORuserthatthewizardwillautomaticallycreateinthe
repository.

ClickFinish.
TheAuthenticationmodeischanged.
Ifyouhaveswitchedfromexternaltointernalauthentication,youcannowreconnecttotheOracleData
IntegratorrepositoryasSUPERVISOR,withthepasswordyouhaveprovidedinthewizard.Onceconnected,
youcanediteachusertoreactivateitandsetapasswordforthisuser.
Ifyouhaveswitchedfrominternaltoexternalauthentication,youcannowreconnecttotheOracleData
Integratorrepositoryasoneoftheuserswithsupervisorprivileges,andreenabletheOracleDataIntegrator
usersthathavebeendisabledduringtheswitch.
4. ReactivatingUsersAfterSwitchingtoInternalAuthentication

ToreactivateaUser:
1.
2.
3.
4.
5.

InSecurityNavigatorexpandtheUsersaccordion.
Selecttheuserthatyouwanttoreactivatefromthelistofusers.
RightclickandselectEdit.TheUsereditorappears.
UnselectAllowExpirationDate.
Ifyouwanttosetapasswordforthisuser,clickChangePasswordandenterthenewpasswordforthis
user.
6. FromtheFilemainmenu,selectSave.
7. ReEnableUsersAfterSwitchingtoExternalAuthentication.

ToreenableaUser:
1.
2.
3.
4.
5.

InSecurityNavigatorexpandtheUsersaccordion.
Selecttheuserthatyouwanttoreenablefromthelistofusers.
RightclickandselectEdit.TheUsereditorappears.
IntheNamefield,enterausernamethatmatchestheloginofanenterpriseuserintheidentitystore.
ClickRetrieveGUID.Iftheusernamehasamatchintheidentitystore,thisexternaluser'sGUIDappearin
theExternalGUIDfield.
6. FromtheFilemainmenu,selectSave.

EditanODIStandaloneAgentjpsconfig.xmlFiletoPointtoYourExternalOIDLDAP

Server
1. AcommontaskusingODIistosetupandinstallODIagents.AftertheODIscenariosarecreated,theycanbe
scheduledandorchestratedusinganODIagent,whichisalightweightJavaprocessthatorchestratesthe
executionofODIscenarios.
Forstandaloneagents,theconfigurationtoconnectandusetheexternalidentitystoreiscontainedinacopyofthe
sameOPSSconfigurationfilejpsconfig.xmlthatyouusedtoconfiguretheODIStudio.
However,youneedtoplacethecopyofthisfileforstandaloneagentinadifferentfolder.Copythisfiletothe
ODI_HOME/oracledi/agent/bin/directory.Theagentandthecommandlinescriptswillauthenticateagainstthe
configuredidentitystore.

RefertotheOracleFusionMiddlewareSecurityGuideformoreinformation.

2. Edittheodiparams.shfile,enteringappropriatevalues,suchas:
ODI_MASTER_DRIVER=oracle.jdbc.driver.OracleDriver
ODI_MASTER_URL=jdbc:oracle:thin:@localhost:1521:nrdb
ODI_MASTER_USER=EAMASTERODI_MASTER_ENCODED_PASS=gxfpqkz074jeaCpL4XSEFzxoj8E0p
ODI_SECU_WORK_REP=WORKREP1
ODI_SUPERVISOR=SUPERVISOR
ODI_SUPERVISOR_ENCODED_PASS=fJya.vR5kvNcu9TtV,jVZEt

3. Toencodethepassword:
<ODI_HOME>/oracledi/agent/bin/encode.sh<password>

UnderstandExternalUserAuthenticationinaJavaEEContext
1. OracleDataIntegratorcomponentsdeployedinacontainer(JavaEEAgent,OracleDataIntegratorConsole)do
notrequireaspecificconfiguration.Theyusetheconfigurationoftheircontainer.
RefertotheOracleFusionMiddlewareSecurityGuideformoreinformationonOPSSconfigurationinaJavaEE

context.
InJRFenabledJ2EEcontainers(AgentinWebLogicServer[WLS]):
ConfigureJavaRequiredFiles(JRF)onWLS.
AssoonasyouconfigureyourJ2EEcontainer(currentlyonlyWLSissupported)withJRFenabled,OPSSwill
beconfiguredfortheapplicationdeployedinside.
Bydefault,OPSSisconfiguredtousetheWLSinternalLDAPIdentityStore.Youneedtoconfigureanew
AuthenticatorinsideWLSifyouwanttouseanexternal,centralOID.
Usefulresources
IntroductiontoOraclePlatformSecurityServices:
http://download.oracle.com/docs/cd/E12839_01/core.1111/e10043/underjps.htm
OPSSConfigurationFileReference:
http://download.oracle.com/docs/cd/E12839_01/core.1111/e10043/apjpscfg.htm#BEHDBJED

Summary
Inthistutorial,youhavelearnedhowto:
UseSQLDevelopertocreateanRDBMS(11g)Schema/UserforanewODIMasterRepository
EdittheODIStudiojpsconfig.xmlfiletopointtoyourexternalOIDLDAPServer
CreateanewODIMasterRepositoryusinganauthenticateduserintheexternalOIDLDAPServer
SwitchtheMasterRepositoryauthenticationmodebetweenexternalandinternalauthentication
EditanODIstandaloneagentjpsconfig.xmlfiletopointtoyourexternalOIDLDAPServer
UnderstandexternaluserauthenticationinaJavaEEcontext

Resources
OracleDataIntergator11gDocumentation
TolearnmoreaboutotherOracleproducts,refertoadditionalOBEsintheLearningLibrary.

AboutOracle |OracleandSun |

| Careers| ContactUs| SiteMaps|

LegalNotices| TermsofUse | YourPrivacyRights