Note to self 002: Using SQL*Plus on Exalytics

Many times we get the question whether it is allowed to install the Oracle Database Client on an Exalytics In-Memory Machine. The answer to this is a bit difficult: Allowed? Certified? Supported?

It is not certified nor supported, but actually there is already a client installed in

MW_HOME/Oracle_BI1

SQL*Plus you say? Not to worry, there is an Instant Client as well available with the Times Ten software installed on the Exalytics server.

An example of running SQL*Plus from an Exalytics Server to test connectivity basd on the tnsnames.ora located in the the Oracle_BI1 home:

sudo su – oracle

cd /u01/app/oracle/product/TimesTen/tt1122/ttoracle_home/instantclient_11_2

export LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH

export TNS_ADMIN=/u01/app/oracle/product/fmw/Oracle_BI1/network/admin/

./sqlplus <schema>@<tnsname>

This is my narrow view on the world - if anybody reading this has any comments on other scenarios or cannot get the above to work, make sure you leave a comment below!

Note to self 001: how to edit a weblogic domain on offline mode

I changed some settings that seemed to render my security provider (DefaultAuthenticator) useless, which meant that I could not start the AdminServer anymore.

I was getting an error about the boot.properties identity not being correct, and this had not changed in a long time. So how do I change settings in my weblogic domain when I cannot use the console? Easy: You just edit your domain settings in offline mode using WLST. Here's an example of how I changed the provider configuration. I had played with some of the Group Hierarchy settings in the DefaultAuthenticationProvider, and these settings resulted in it being impossible to start the AdminServer.

Instead of connecting to a domain, you read the domain from disk:

wls:/offline>readDomain('/u01/app/oracle/product/fmw/user_projects/domains/bifoundation_domain')

wls:/offline/bifoundation_domain>cd('SecurityConfiguration/bifoundation_domain/Realm/myrealm/AuthenticationProvider/Provider')

wls:/offline/bifoundation_domain/SecurityConfiguration/bifoundation_domain/Realm/myrealm/AuthenticationProvider/Provider>ls()
-rw-   CompatibilityObjectName                       null
-rw-   ControlFlag                                   null
-rw-   EnableGroupMembershipLookupHierarchyCaching   false
-rw-   GroupHierarchyCacheTtl                        0
-rw-   GroupMembershipSearching                      null
-rw-   KeepAliveEnabled                              false
-rw-   MaxGroupHierarchiesInCache                    0
-rw-   MaxGroupMembershipSearchLevel                 0
-rw-   MinimumPasswordLength                         8
-rw-   Name                                          Provider
-rw-   PasswordDigestEnabled                         false
-rw-   PropagateCauseForLoginException               false
-rw-   UseRetrievedUserNameAsPrincipal               true
wls:/offline/bifoundation_domain/SecurityConfiguration/bifoundation_domain/Realm/myrealm/AuthenticationProvider/Provider>cmo.setEnableGroupMembershipLookupHierarchyCaching(true)
wls:/offline/bifoundation_domain/SecurityConfiguration/bifoundation_domain/Realm/myrealm/AuthenticationProvider/Provider>cmo.setMaxGroupHierarchiesInCache(100)
wls:/offline/bifoundation_domain/SecurityConfiguration/bifoundation_domain/Realm/myrealm/AuthenticationProvider/Provider>cmo.setGroupHierarchyCacheTTL(60)

After editing the values, we update and close the domain (a bit like activate() when working with WLST in online mode)

wls:/offline/bifoundation_domain/SecurityConfiguration/bifoundation_domain/Realm/myrealm/AuthenticationProvider/Provider>updateDomain()

wls:/offline/bifoundation_domain/SecurityConfiguration/bifoundation_domain/Realm/myrealm/AuthenticationProvider/Provider>closeDomain()

Next time I tried starting the AdminServer, it all went fine again!

Exalytics Patchset 3 available OBIEE 11.1.1.7 Now Certified for Exalytics!

A quick post to a new announcement.

Exalytics PS3 is now available, together with an updated Exalytics configuration, now called Exalytics X3-4 (The previous version was called X2-4). Now with 2TB of RAM, among other improvements.

Read more here, on the Proactive Support Blog from Oracle:

https://blogs.oracle.com/emeapartnerbiepm/entry/new_exalytics_x3_4_system

Enjoy the read!

How to get SSO working with WNA

Having problems getting Single Sign On working with Kerberos and  Windows Native Authentication with OBIEE? This is the note that explains how it should be done:

OBIEE 11g: Configuring Authentication and SSO with Active Directory and Windows Native Authentication [ID 1274953.1]
https://support.oracle.com/epmos/faces/DocContentDisplay?id=1274953.1

Debug, debug, debug....

This blog entry may also help you find the cause of different error messages when trying to get kinit, keytab files, etc. to work - it's not specific to OBIEE, but it was really useful to me:

http://idmrockstar.com/blog/2012/05/wna-kerberos-setup-with-oam-11g-lessons-learned/


This is a good source of troubleshooting assistance:

OBIEE 11g: How To Check each Configuration Step when Configuring Authentication and SSO with Active Directory and Windows Native Authentication [ID 1390127.1]
https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1390127.1


If it doesn't work it is most probably due to a configuration error. Trust me. Review your installation.

To add to complexity, in some cases you might have a load balancer between the user and the OBIEE server. Try checking this blog post out, it tells us how to use ktutil to merge several keytab files together:

http://oraclelabspace.blogspot.dk/2012/01/configurining-sso-using-kerberosspnego.html

Here are some tips that I have found helpful - some are mine, some are borrowed from others. This list is a work in progress, as you always learn something new...

- If you feel confident that you know you are in complete control of Weblogic, and have taken some shortcuts and done things differently than in the Oracle Technote because "you know it works", try again. To make sure all your components are configured correctly, follow the technote step by step. Do not do things differently until you get it to work. Then, when you get it to work, start doing things your way. When in trouble, it is good to get confirmation that it does work, and if you have issues, it will be easier and quicker for Oracle Support to understand your issue.

- Building the war file and ear file. I had issues with this first time around, as I am no java expert, and did not know the jar utility too well. This is the command that works for me on a Linux installation:

jar -cvfm analytics.war META-INF/MANIFEST.MF * > out.txt

jar -cvfm analytics.ear META-INF/MANIFEST.MF * > out.txt

Basically what we are doing is telling jar to take all the files in the folder and add them to analytics.ear/war and to use the manifest file in the META-INF folder (and not to generate a new one). Redirecting output to a text file will let you check if there are any errors when creating the war and ear files.

- Check that krb5Login.conf is completely correct and has no hidden characters
- Get an LDAP Browser software. JXplorer og Softerra LDAP browser are quite good.
- Test your Group & User filters in the LDAP browser to make sure it works as expected.

Edit 2013-Aug-02

There is a new web application that you can deploy on your AdminServer to check that the settings like MSAD SPN, configuration files, host names, etc. are correct. It is called SPNEGOcheck and can be downloaded from MOS, see note [1390127.1]. It's a bit crude but give basic information on your different settings.

https://support.oracle.com/epmos/faces/DocContentDisplay?id=1390127.1

This goes hand-in-hand with the "old" BI Security Diagnostics Helper, which is explained in the documentation. It is a web application you deploy on the server, and it checks different settings, like Oracle Web Services Manager, BISystemUser, and lets you test whether the AD authentication is set up properly.

http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/troubleshoot.htm#BIESC6203


Happy SSO'ing!