Configuring ODI External User Authentication

Overview

Oracle Data Integrator stores all user information as well as users' privileges in the master repository by default. When a user logs in to ODI, it logs in against the master repository. This authentication method is called Internal Authentication.
Oracle Data Integrator can optionally use Oracle Platform Security Services (OPSS), a standards-based and portable security framework for Java applications, to authenticate its users against an external Identity Store, which contains enterprise users and passwords. Such an identity store is used at the enterprise level by all applications, in order to have centralized user and password definitions and Single Sign-On (SSO). In such a configuration, the ODI master repository only contains references to these enterprise users. This authentication method is called External Authentication.

Note: When using External Authentication, only users and their passwords are externalized. ODI privileges remain within the repository. Data servers and context passwords also remain in the master repository. It is possible to externalize data server and context passwords, using the ODI External Password Storage feature.

ODI can authenticate its users against a variety of external identity stores, such as Oracle Internet Directory (OID) LDAP Server or WebLogic Server. This OBE provides a step-by-step walkthrough of the process of configuring ODI with OID LDAP Server. The steps for configuring authentication with other external identity stores are very similar.
Note: The steps to configure ODI external user authentication are also
In this tutorial, you learn how to:

• Use SQL Developer to create an RDBMS (11g) Schema/User for a new ODI Master Repository
• Edit the ODI Studio jps-config.xml file to point to your external OID LDAP Server
• Create a new ODI Master Repository using an authenticated user in the external OID LDAP Server
• Switch the Master Repository authentication mode between external and internal authentication
• Edit an ODI standalone agent jps-config.xml file to point to your external OID LDAP Server
• Understand external user authentication in a Java EE context

Scenario

You work as a database administrator for Global Enterprise. In Global Enterprise, you are responsible for managing the security of the Oracle Data Integrator development environment. Instead of relying upon the internal user authentication available in ODI, you will establish external user authentication, taking advantage of the user accounts managed by your company's centralized OID LDAP Server.

Software and Hardware Requirements

The following is a list of software requirements:

• The system should include the following installed products:
  • Oracle Database 11g
  • Oracle Data Integrator 11g Release 1
  • An external authentication provider such as LDAP, OID, or WLS
  If not done before, start the services and components for Oracle Database 11g.

Prerequisites

Before you start the tasks, make sure that your system environment meets the following requirements:

1.	You have installed Oracle Database 11g. If not done before, start the services and components for Oracle Database 11g.
2.	You have installed Oracle Data Integrator 11g Release 1.
.	You have installed an external authentication provider such as LDAP, OID, or WLS.

Use SQL Developer to create an RDBMS (11g) Schema/User for a new ODI Master Repository

1.	Start SQL Developer by selecting Start > Programs > [Oracle Database home] > Application Development > SQL Developer. When SQL Developer opens, close the Logging Page – Log tab.
2 .	In SQL Developer, create a new connection.
3.	Name this new connection: Administrator. Enter SYSTEM for Username. Enter oracle1 for Password. For SID, enter: ORCL. Clisk Test, and then click Connect. Click “+” to expand connection Administrator.
4.	You have to create the RDBMS schema/user (Oracle 11g) for the Master repository. The schemas can be created by executing the following SQL commands: create user <MY_SCHEMA> identified by <MY_PASS> default tablespace <MY_TBS> temporary tablespace <MY_TEMP>; grant connect, resource to <MY_SCHEMA>; Where: <MY_SCHEMA> corresponds to the name of the schema that you want to create <MY_PASS> corresponds to the password that you gave <MY_TBS> corresponds to the Oracle tablespace where the data will be stored <MY_TEMP> corresponds to the temporary default tablespace In this example, to create the user vishal for master repository, enter the following command. Click Execute statement icon . create user vishal identified by vishal default tablespace users temporary tablespace temp; Note: In this command, vishal is the value of the password to connect to the user vishal.

Edit the ODI Studio jps-config.xml File to Point to Your External OID LDAP Server

	In this example, we are going to point to an external identity store that is an OID LDAP Server. For your purposes, use the following instructions to point to your own identity store, which might be an OID or WebLogic or other LDAP Server. Let's take a look at a typical OID LDAP Server, which has a user named SUPERVISOR already defined. Later, this SUPERVISOR user will become our externally authenticated ODI user. Oracle Directory Services Manager can be used to look at the contents of an OID LDAP Server: Below, we see the user named SUPERVISOR. Later in this OBE, we will see how to define a new ODI Master Repository using this externally authenticated SUPERVISOR user:
1 .	The configuration to connect to and use the identity store is contained in an OPSS Configuration file called jps-config.xml file. Edit the jps-config.xml file to point to your external OID LDAP Server. Note: The following sample section from a jps-config.xml file points to an imaginary OID LDAP Server. Do not attempt to copy this sample literally for your environment. Refer to the Oracle Fusion Middleware Security Guide for more information on editing your jps-config.xml file. The sample section, below, from a jps-config.xml file shows an LDAP Server section added, in which the credentials for the LDAP Server are established: <!-- JPS OID LDAP Identity Store Service Instance --> <serviceInstance name="idstore.oid" provider="idstore.ldap.provider"> <property name="subscriber.name" value="dc=us,dc=oracle,dc=com" /> <property name="idstore.type" value="OID" /> <property name="security.principal.key" value="ldap.credential"/> <property name="security.principal.alias" value="JPS"/> <property name="ldap.url" value="ldap://*****PUT_YOUR_LDAP_SERVER_HERE*****" /> <extendedProperty> <name>user.search.bases</name> <values> <value>cn=users,dc=us,dc=oracle,dc=com</value> </values> </extendedProperty> <extendedProperty> <name>group.search.bases</name> <values> <value>cn=groups,dc=us,dc=oracle,dc=com</value> </values> </extendedProperty> <property name="username.attr" value="uid" /> <property name="groupname.attr" value="cn" /> </serviceInstance> Reference this service instance in the default JPS context by its name idstore.oid and also add the login module configuration as follows: <jpsContext name="default"> <serviceInstanceRef ref=" idstore.oid "/> <serviceInstanceRef ref="idstore.loginmodule"/> </jpsContext> After editing this file to point to your external identity store, copy the file into the ODI_HOME/oracledi/client/odi/bin/ directory. The ODI Studio reads the identity store configuration and authenticates against the configured identity store. If you want to locate this file in a different location, edit the ODI_HOME/oracledi/client/odi/bin/odi.conf file and edit the option that sets the location of the configuration file. This option is set in the following line: AddVMOption -Doracle.security.jps.config=./jps-config.xml By default, odi.conf expects jps-config.xml to reside in the same execution directory as odi.conf.
2 .	Run the script to set up the credentials for idstore.oid or other LDAP in the identity store: Navigate to where the run_credtool script resides in your environment, perhaps <HOME>/custom/FusionLibraries/tools. Run the run_credtool.cmd or sh script. When the script prompts for input, defaults are shown in []. Enter the input on the line following the prompt. The following 5 lines show you which defaults to take. In the 5th line, use the location path where your jps-config.xml file resides:       [input] Alias: [JPS]       [input] Key: [ldap.credential]       [input] User Name:cn=user name       [input] Password:password       [input] JPS Config:[ORACLE_HOME\custom\FusionLibraries\tools/../../../config/jps-config.xml] Note: The Alias and Key input must match the values used in the serviceInstance security.principal.alias and security.principal.key respectively. Again, refer to the Oracle Fusion Middleware Security Guide for more information on editing your jps-config.xml file.
3 .	Restart the WebLogic Server domain.

Create a new ODI Master Repository Referencing a User in the External OID LDAP Server

1 .	In the next few steps you create the ODI Master repository. Start Oracle Data Integrator: Start > Programs > Oracle ODI 11g-Home> Oracle Data Integrator > ODI Studio
2 .	Open the New Gallery by choosing File > New. In the New Gallery, in the Categories tree, select ODI. Select from the Items list the Master Repository Creation Wizard. Click OK. The Master Repository Creation Wizard appears.
3 .	In the Master Repository Creation Wizard, select the browse icon of the JDBC Driver and then select Oracle JDBC Driver. Click OK. Edit the JDBC URL to read: jdbc:oracle:thin: localhost:1521:orcl Enter the User as vishal and the Password as vishal. Click the Test Connection button and verify successful connection. Click OK. Click Next on the Master Repository Creation Wizard screen.
4 .	In the Authentication window, select Use External Authentication. (If you had selected Use ODI Authentication, you would have been using ODI's internal authentication.) Enter Supervisor User and Supervisor Password, as they exist in your external data store; in our case, we are specifying the user "SUPERVISOR" in our OID LDAP Server . Click Next. Note: User names and passwords are case-sensitive in ODI.
5 .	In the Password Storage window, select Internal password Storage, and then click Finish. When the Master Repository is successfully created, you will see the Oracle Data Integrator Information message. Click OK. The ODI Master repository is now created.
6 .	You connect to the ODI Master repository by creating a new ODI Master Login. Open the New Gallery by choosing File > New. In the New Gallery, in the Categories tree, select ODI. From the Items list, select Create a New ODI Repository Login.
7 .	Configure Repository Connections with the parameters from the table provided below. In the Oracle Data Integrator Connection section, enter the User and Password of the authenticated user in your external store. In this example, we specify SUPERVISOR/SUNOPSIS from the OID LDAP Server. In the Database Connection (Master Repository) section, enter the User and Password of the schema user you created for the master repository. In this example, we specify vishal/vishal. To enter the JDBC URL, click the button next to JDBC URL field and select jdbc:oracle:thin:@<host>:<port>:<sid> as shown in the screenshot, then edit the URL. Select Master Repository Only button. Click Test button. Verify successful connection and click OK. Click OK to save the connection. Oracle Data Integrator Connection Parameter Value Login Name Master Repository User SUPERVISOR Password SUNOPSIS Database Connection (Master Repository) Parameter Value User vishal Password vishal Driver List Oracle JDBC Driver Driver Name oracle.jdbc.OracleDriver Url jdbc:oracle:thin:@localhost:1521:orcl Note: Do not copy and paste in the JDBC URL field. This may cause problems with entering a valid URL string. Instead, open the drop-down menu and select the correct driver from the list. Type the correct URL in the URL field.

Switch the Master Repository Authentication Mode Between External and Internal Authentication

1.	Switching the authentication mode of the Oracle Data Integrator repository changes the way users authenticate. This operation must be performed by a Supervisor user. WARNING: When switching from an External to Internal authentication, user passwords are not copied from the identity store to the repository. The passwords are nullified. All the user accounts are marked as expired and must be reactivated by a SUPERVISOR that is created during the switch. When switching from Internal to External authentication, the users that exist in the repository and match a user in the identity store are automatically mapped. Users that do not match a user in the identity store are disabled. A Supervisor must edit the users so that their name has a match in the identity store. The context passwords are lost. Passwords for data servers, jdbc password of the work repository, and ESS related passwords are removed from their credential store. Use the Switch Authentication Mode wizard to change the user authentication mode. Before launching the Switch Authentication Mode wizard perform the following tasks: Disconnect Oracle Data Integrator Studio from the repository. Shut down every component using the Oracle Data Integrator repository. To use the Switch Authentication Mode wizard: From the ODI main menu, select Switch Authentication Mode. The Switch Authentication Mode wizard appears.
2.	Specify the JDBC connectivity details of your Oracle Data Integrator master repository as defined when you connected to the Master Repository. Click Next.
3.	The next action varies, depending on the current Authentication Mode in use: If currently using Internal Authentication, you are prompted to switch to external authentication. If currently using External Authentication, you are prompted to switch to internal authentication. You must provide and confirm a password for the SUPERVISOR user that the wizard will automatically create in the repository. Click Finish. The Authentication mode is changed. If you have switched from external to internal authentication, you can now re-connect to the Oracle Data Integrator repository as SUPERVISOR, with the password you have provided in the wizard. Once connected, you can edit each user to reactivate it and set a password for this user. If you have switched from internal to external authentication, you can now re-connect to the Oracle Data Integrator repository as one of the users with supervisor privileges, and re-enable the Oracle Data Integrator users that have been disabled during the switch.
4.	Reactivating Users After Switching to Internal Authentication To reactivate a User: In Security Navigator expand the Users accordion. Select the user that you want to reactivate from the list of users. Right-click and select Edit. The User editor appears. Un-select Allow Expiration Date. If you want to set a password for this user, click Change Password and enter the new password for this user. From the File main menu, select Save. Re-Enable Users After Switching to External Authentication. To re-enable a User: In Security Navigator expand the Users accordion. Select the user that you want to re-enable from the list of users. Right-click and select Edit. The User editor appears. In the Name field, enter a user name that matches the login of an enterprise user in the identity store. Click Retrieve GUID. If the user name has a match in the identity store, this external user's GUID appear in the External GUID field. From the File main menu, select Save.

Edit an ODI Standalone Agent jps-config.xml File to Point to Your External OID LDAP Server

1 .	A common task using ODI is to set up and install ODI agents. After the ODI scenarios are created, they can be scheduled and orchestrated using an ODI agent, which is a lightweight Java process that orchestrates the execution of ODI scenarios. For standalone agents, the configuration to connect and use the external identity store is contained in a copy of the same OPSS configuration file jps-config.xml that you used to configure the ODI Studio. However, you need to place the copy of this file for standalone agent in a different folder. Copy this file to the ODI_HOME/oracledi/agent/bin/ directory. The agent and the command line scripts will authenticate against the configured identity store. Refer to the Oracle Fusion Middleware Security Guide for more information.
2 .	Edit the odiparams.sh file, entering appropriate values, such as: ODI_MASTER_DRIVER=oracle.jdbc.driver.OracleDriver ODI_MASTER_URL=jdbc:oracle:thin:@localhost:1521:nrdb ODI_MASTER_USER=EAMASTER ODI_MASTER_ENCODED_PASS=gxfpqkz074jeaCpL4XSEFzxoj8E0p ODI_SECU_WORK_REP=WORKREP1 ODI_SUPERVISOR=SUPERVISOR ODI_SUPERVISOR_ENCODED_PASS=fJya.vR5kvNcu9TtV,jVZEt
3 .	To encode the password: <ODI_HOME>/oracledi/agent/bin/encode.sh <password>

Understand External User Authentication in a Java EE Context

1 .

Oracle Data Integrator components deployed in a container (Java EE Agent, Oracle Data Integrator Console) do not require a specific configuration. They use the configuration of their container. Refer to the Oracle Fusion Middleware Security Guide for more information on OPSS configuration in a Java EE context. In JRF-enabled J2EE containers (Agent in WebLogic Server [WLS]): Configure Java Required Files (JRF) on WLS. As soon as you configure your J2EE container (currently only WLS is supported) with JRF enabled, OPSS will be configured for the application deployed inside. By default, OPSS is configured to use the WLS internal LDAP Identity Store. You need to configure a new Authenticator inside WLS if you want to use an external, central OID.