How to do the (in)famous "Refresh GUIDs" process

• Modify Presentation Server "instanceconfig.xml", under ServerInstance - Catalog, ensure the the setting "UpdateAccountGUIDs" is set to UpdateAndExit:

         <ServerInstance>
           <Catalog>
             <UpgradeAndExit>false</UpgradeAndExit>             <UpdateAccountGUIDs>UpdateAndExit</UpdateAccountGUIDs>           </Catalog>
         </ServerInstance>

• Modify BI Server "NQSConfig.INI", in the section "SERVER", change the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS setting to YES:

         [SERVER]
         FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = YES;

• Go to $ORACLE_INSTANCE\bin (usually <install_dir>\instances\instance1\bin) and stop the BI Server and Presentation server:

         opmnctl stopproc ias-component=coreapplication_obis1
         opmnctl stopproc ias-component=coreapplication_obips1

• Start the two processes again in the right order (BI Server, then Presentation Server) - might take a bit longer that usual:

          opmnctl startproc ias-component=coreapplication_obis1
          opmnctl startproc ias-component=coreapplication_obips1
        

• The Presentation Server will shut down when the process is completed. To see that it completed succesfully, the following should be present in the newest sawlog file ($ORACLE_INSTANCE/diagnostics/logs/OracleBIPresentationServicesComponent/coreapplication_obips1/sawlog3.log)

[2014-11-04T12:23:31.000+01:00] [OBIPS] [NOTIFICATION:1] [] [saw.subsystem.catalog.initialize.upgrade] [ecid: ] [tid: ] Succeeded in updating account GUIDs from back end user population store[[

• Modify BI Server "NQSConfig.INI", in the "SERVER" section, set FMW_UPDATE_ROLE_AND_USER_REF_GUIDS back to NO

         [SERVER]
         FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = NO;

• Modify Presentation Server "instanceconfig.xml"Modify Presentation Server "instanceconfig.xml", under ServerInstance - Catalog, ensure the the setting "UpdateAccountGUIDs" is deleted or commented out:

         <ServerInstance>
           <Catalog>
             <UpgradeAndExit>false</UpgradeAndExit>
             <!--UpdateAccountGUIDs>UpdateAndExit</UpdateAccountGUIDs-->           </Catalog>
         </ServerInstance>

• Start Presentation Server again:

           opmnctl startproc ias-component=coreapplication_obips1

Once the Presentation Server is running again, you should be ready to continue.

Note to self 003: BISystemUser Password Change

These days we faced an issue at a customer, and we were getting an error

[2014-09-17T05:55:58.000+02:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: 00iOQuuYzVhB_6kLSyO5yc0001Ro000000,0:36357:6] [tid: 16d0] oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserCredentialsThe system user could not be authenticated.
[2014-09-17T05:55:58.000+02:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: 00iOQuuYzVhB_6kLSyO5yc0001Ro000000,0:36357:6] [tid: 16d0] [nQSError: 43126] Authentication failed: invalid user/password.

And the users were not able to log into the OBIEE front end. All this points to an issue with the BISystemUser (default setup) not being correctly setup.

   

At first the customer tried (unsuccesfully):

1. Go to WLS Console (<http://<servername>:7001/console), Security Realms, myrealm, Users and Groups, Users. Locate the user BISystemUser, and change the password for this user
2. Log on to Enterprise Manager (http://<servername>:7001/em), expand Weblogic Domain, right- click bifoundation_domain, select Security, Credentials.
3. Under the "oracle.bi.system" folder, you will find the system.user credential. Edit this key, and type in the new password you set for the BISystemUser in step 1.
4. After making this change, things still did not work, even after restarting AdminServer, bi_server1 and the OPMN components.

The key to solving this issue was to carry out the steps above, with an important difference. We were seeing entries in the bi_server1.log file (in <MW_HOME>/user_projects/domains/bifoundation_domain/servers/bi_server1/logs) that the BISystemUser was being locked, so when changing the password for the user in the WLS Console, the BI components were still trying to log in with the "old" password, and therefore locking out the user. This is the error message:

####<Sep 17, 2014 9:49:08 AM CEST> <Notice> <Security> <CMA1CS0327> <bi_server1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <75b304a5bd3e33a3:-7a4ce57c:1486b42f781:-8000-000000000004ada2> <1410940148242> <BEA-090078> <User bisystemuser in security realm myrealm has had 5 invalid login attempts, locking account for 30 minutes.>

   

These are the correct steps

1. Shut down all OPMN components (<MW_HOME>/instances/instancen/bin/opmnctl stopall)
2. Go to WLS Console (<http://<servername>:7001/console), Security Realms, myrealm, Users and Groups, Users. Locate the user BISystemUser, and change the password for this user
3. Log on to Enterprise Manager (http://<servername>:7001/em), expand Weblogic Domain, right- click bifoundation_domain, select Security, Credentials.
4. Under the "oracle.bi.system" folder, you will find the system.user credential. Edit this key, and type in the new password you set for the BISystemUser in step 2.
5. Stop the bi_server1 managed server and the WLS AdminServer
6. Restart the whole stack as usual.

Now the next question that pops up is why did it all go wrong in the first place - why did we need to change the password at all? This remains to be seen.....

 

Web Services / Action Framework Configuration Issue

Configuring Web Services overview, to give the end user a list of web services to choose from, I ran into an error  when trying to create a new action:

Soap invocation failure. HTTP error code: '
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
 <env:Header/>
 <env:Body>
  <env:Fault>
   <env:Code xmlns:env="http://www.w3.org/2003/05/soap-envelope">
    <env:Value>env:Receiver</env:Value>
   </env:Code>
   <env:Reason>
    <env:Text xml:lang="en-US">Trying to read a config value before initializing the reader.</env:Text>
   </env:Reason>
   <env:Detail>
    <ns4:ServiceFault xmlns:ns2="http://oracle.bi.action.registry.ws/" xmlns:ns3="com.siebel.analytics.web/report/v1.1" xmlns:ns4="http://oracle.bi.action.ws/types/fault/">
     <ns4:message>Trying to read a config value before initializing the reader.</ns4:message>
     <ns4:location xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
    </ns4:ServiceFault>
   </env:Detail>
  </env:Fault>
 </env:Body>
</env:Envelope>'.

ActionFrameworkConfig.xml file



This error shows in bi_server1-diagnostic.log, located in

%MW_HOME%\user_projects\domains\bifoundation_domain\servers\bi_server1\logs

"Error reading config file null"

[2014-08-08T09:54:34.146+02:00] [bi_server1] [ERROR] [] [oracle.bi.action.registry.actionregistry] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: BISystemUser] [ecid: 135ac36048dd4c54:-2a4ce35d:147b4973be8:-8000-0000000000000084,0:1:1] [APP: bimiddleware#11.1.1] [J2EE_APP.name: bimiddleware_11.1.1] [J2EE_MODULE.name: analytics/actions] [WEBSERVICE.name: ActionRegistryService] [WEBSERVICE_PORT.name: ActionRegistrySvcPort] Error reading config file null[[

Further down, found this:

[org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 'registry'. One of '{registries}' is expected.]


So a tag <registries> was missing in ActionFrameworkConfig.xml

Note to self 002: Using SQL*Plus on Exalytics

Many times we get the question whether it is allowed to install the Oracle Database Client on an Exalytics In-Memory Machine. The answer to this is a bit difficult: Allowed? Certified? Supported?

It is not certified nor supported, but actually there is already a client installed in

MW_HOME/Oracle_BI1

SQL*Plus you say? Not to worry, there is an Instant Client as well available with the Times Ten software installed on the Exalytics server.

An example of running SQL*Plus from an Exalytics Server to test connectivity basd on the tnsnames.ora located in the the Oracle_BI1 home:

sudo su – oracle

cd /u01/app/oracle/product/TimesTen/tt1122/ttoracle_home/instantclient_11_2

export LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH

export TNS_ADMIN=/u01/app/oracle/product/fmw/Oracle_BI1/network/admin/

./sqlplus <schema>@<tnsname>

This is my narrow view on the world - if anybody reading this has any comments on other scenarios or cannot get the above to work, make sure you leave a comment below!

Note to self 001: how to edit a weblogic domain on offline mode

I changed some settings that seemed to render my security provider (DefaultAuthenticator) useless, which meant that I could not start the AdminServer anymore.

I was getting an error about the boot.properties identity not being correct, and this had not changed in a long time. So how do I change settings in my weblogic domain when I cannot use the console? Easy: You just edit your domain settings in offline mode using WLST. Here's an example of how I changed the provider configuration. I had played with some of the Group Hierarchy settings in the DefaultAuthenticationProvider, and these settings resulted in it being impossible to start the AdminServer.

Instead of connecting to a domain, you read the domain from disk:

wls:/offline>readDomain('/u01/app/oracle/product/fmw/user_projects/domains/bifoundation_domain')

wls:/offline/bifoundation_domain>cd('SecurityConfiguration/bifoundation_domain/Realm/myrealm/AuthenticationProvider/Provider')

wls:/offline/bifoundation_domain/SecurityConfiguration/bifoundation_domain/Realm/myrealm/AuthenticationProvider/Provider>ls()
-rw-   CompatibilityObjectName                       null
-rw-   ControlFlag                                   null
-rw-   EnableGroupMembershipLookupHierarchyCaching   false
-rw-   GroupHierarchyCacheTtl                        0
-rw-   GroupMembershipSearching                      null
-rw-   KeepAliveEnabled                              false
-rw-   MaxGroupHierarchiesInCache                    0
-rw-   MaxGroupMembershipSearchLevel                 0
-rw-   MinimumPasswordLength                         8
-rw-   Name                                          Provider
-rw-   PasswordDigestEnabled                         false
-rw-   PropagateCauseForLoginException               false
-rw-   UseRetrievedUserNameAsPrincipal               true
wls:/offline/bifoundation_domain/SecurityConfiguration/bifoundation_domain/Realm/myrealm/AuthenticationProvider/Provider>cmo.setEnableGroupMembershipLookupHierarchyCaching(true)
wls:/offline/bifoundation_domain/SecurityConfiguration/bifoundation_domain/Realm/myrealm/AuthenticationProvider/Provider>cmo.setMaxGroupHierarchiesInCache(100)
wls:/offline/bifoundation_domain/SecurityConfiguration/bifoundation_domain/Realm/myrealm/AuthenticationProvider/Provider>cmo.setGroupHierarchyCacheTTL(60)

After editing the values, we update and close the domain (a bit like activate() when working with WLST in online mode)

wls:/offline/bifoundation_domain/SecurityConfiguration/bifoundation_domain/Realm/myrealm/AuthenticationProvider/Provider>updateDomain()

wls:/offline/bifoundation_domain/SecurityConfiguration/bifoundation_domain/Realm/myrealm/AuthenticationProvider/Provider>closeDomain()

Next time I tried starting the AdminServer, it all went fine again!

Exalytics Patchset 3 available OBIEE 11.1.1.7 Now Certified for Exalytics!

A quick post to a new announcement.

Exalytics PS3 is now available, together with an updated Exalytics configuration, now called Exalytics X3-4 (The previous version was called X2-4). Now with 2TB of RAM, among other improvements.

Read more here, on the Proactive Support Blog from Oracle:

https://blogs.oracle.com/emeapartnerbiepm/entry/new_exalytics_x3_4_system

Enjoy the read!

How to get SSO working with WNA

Having problems getting Single Sign On working with Kerberos and  Windows Native Authentication with OBIEE? This is the note that explains how it should be done:

OBIEE 11g: Configuring Authentication and SSO with Active Directory and Windows Native Authentication [ID 1274953.1]
https://support.oracle.com/epmos/faces/DocContentDisplay?id=1274953.1

Debug, debug, debug....

This blog entry may also help you find the cause of different error messages when trying to get kinit, keytab files, etc. to work - it's not specific to OBIEE, but it was really useful to me:

http://idmrockstar.com/blog/2012/05/wna-kerberos-setup-with-oam-11g-lessons-learned/


This is a good source of troubleshooting assistance:

OBIEE 11g: How To Check each Configuration Step when Configuring Authentication and SSO with Active Directory and Windows Native Authentication [ID 1390127.1]
https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1390127.1


If it doesn't work it is most probably due to a configuration error. Trust me. Review your installation.

To add to complexity, in some cases you might have a load balancer between the user and the OBIEE server. Try checking this blog post out, it tells us how to use ktutil to merge several keytab files together:

http://oraclelabspace.blogspot.dk/2012/01/configurining-sso-using-kerberosspnego.html

Here are some tips that I have found helpful - some are mine, some are borrowed from others. This list is a work in progress, as you always learn something new...

- If you feel confident that you know you are in complete control of Weblogic, and have taken some shortcuts and done things differently than in the Oracle Technote because "you know it works", try again. To make sure all your components are configured correctly, follow the technote step by step. Do not do things differently until you get it to work. Then, when you get it to work, start doing things your way. When in trouble, it is good to get confirmation that it does work, and if you have issues, it will be easier and quicker for Oracle Support to understand your issue.

- Building the war file and ear file. I had issues with this first time around, as I am no java expert, and did not know the jar utility too well. This is the command that works for me on a Linux installation:

jar -cvfm analytics.war META-INF/MANIFEST.MF * > out.txt

jar -cvfm analytics.ear META-INF/MANIFEST.MF * > out.txt

Basically what we are doing is telling jar to take all the files in the folder and add them to analytics.ear/war and to use the manifest file in the META-INF folder (and not to generate a new one). Redirecting output to a text file will let you check if there are any errors when creating the war and ear files.

- Check that krb5Login.conf is completely correct and has no hidden characters
- Get an LDAP Browser software. JXplorer og Softerra LDAP browser are quite good.
- Test your Group & User filters in the LDAP browser to make sure it works as expected.

Edit 2013-Aug-02

There is a new web application that you can deploy on your AdminServer to check that the settings like MSAD SPN, configuration files, host names, etc. are correct. It is called SPNEGOcheck and can be downloaded from MOS, see note [1390127.1]. It's a bit crude but give basic information on your different settings.

https://support.oracle.com/epmos/faces/DocContentDisplay?id=1390127.1

This goes hand-in-hand with the "old" BI Security Diagnostics Helper, which is explained in the documentation. It is a web application you deploy on the server, and it checks different settings, like Oracle Web Services Manager, BISystemUser, and lets you test whether the AD authentication is set up properly.

http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/troubleshoot.htm#BIESC6203


Happy SSO'ing!