Authentication of BI Publisher using IDM

Hello

I need authenticate users who connect in BI Publisher using IDM. The IDM and BI are installed on different areas and WebLogic servers. Here's what I've tried so far:

1 created the custom authentication provider and it deployed in weblogic.

2. as the passwords are stored in db are encrypted I need a way to decipher the password comes from the db. I use following code to decrypt the pass:

String decryptedPass = tcCryptoUtil.decrypt(encryptedPass, "DBSecretKey");

The code itself works fine in Eclipse. To make this work, I have included in the classpath:

  • all pots that are located in $IDM_HOME\modules\oracle.jps_11.1.1
  • oimclient.jar
  • In the run configuration added after the VM arguments (here is the domain IDM configurations):

-Doracle.security.jps.config=D:\oracle\middleware\user_projects\domains\zus_domain\config\fmwconfig\jps-config.xml -DDOMAIN_HOME=D:\oracle\middleware\user_projects\domains\zus_domain

Now, to make it work in WebLogic BI, I've added all the jars to the classpath in the setWLSEnv.cmd file:

set JPS_DIR=D:\oracle\middleware\Oracle_IDM1\modules\oracle.jps_11.1.1
set CLASSPATH=%CLASSPATH%;%JPS_DIR%\jacc-spi.jar;%JPS_DIR%\jps-api.jar;%JPS_DIR%\jps-az-api.jar;%JPS_DIR%\jps-az-common.jar;...

Now when I try to authenticate:

1 authenticator successfully retireves password stored in db.

2. when I try to decrypt it using above code I get following error:

####<2015-04-09 10:01:34 CEST> <Error> <XELLERATE.ACCOUNTMANAGEMENT> <PSosinski> <AdminServer> 
<[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> 
<<WLS Kernel>> <> <3759beab00426ccc:-3fe7b1ed:14c9d2d88c6:-8000-0000000000000017> <1428566494604> 
<BEA-000000> <Class/Method: tcDefaultDBEncryptionImpl/initKeyStore encounter some problems: {1}
java.lang.NullPointerException
  at com.thortech.xl.crypto.tcCryptoHelper.loadKeyStore(tcCryptoHelper.java:87)
  at com.thortech.xl.crypto.tcDefaultDBEncryptionImpl.initKeyStore(tcDefaultDBEncryptionImpl.java:67)
  at com.thortech.xl.crypto.tcDefaultDBEncryptionImpl.getCipher(tcDefaultDBEncryptionImpl.java:96)
  at com.thortech.xl.crypto.tcDefaultDBEncryptionImpl.encrypt(tcDefaultDBEncryptionImpl.java:193)
  at com.thortech.xl.crypto.tcCryptoUtil.encrypt(tcCryptoUtil.java:118)
  at com.thortech.xl.crypto.tcCryptoUtil.encrypt(tcCryptoUtil.java:275)
  at oracle.iam.platform.auth.impl.Authenticator.encrypt(Authenticator.java:185)
  at oracle.iam.platform.auth.impl.Authenticator.authenticateWithPassword(Authenticator.java:160)
  at oracle.iam.platform.auth.impl.Authenticator.authenticate(Authenticator.java:133)
  at oracle.iam.platform.auth.providers.wls.OIMAuthLoginModule.login(OIMAuthLoginModule.java:44)
  at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
  at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
  at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
  at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
  at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
  at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
  at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:113)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
  at $Proxy39.login(Unknown Source)
  at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:89)
  at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate(JAASAuthenticationServiceImpl.java:82)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
  at $Proxy57.authenticate(Unknown Source)
  at weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticate(WLSJAASAuthenticationServiceWrapper.java:40)
  at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:348)
  at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:251)
  at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:200)
  at weblogic.servlet.security.internal.FormSecurityModule.processJSecurityCheck(FormSecurityModule.java:258)
  at weblogic.servlet.security.internal.FormSecurityModule.checkUserPerm(FormSecurityModule.java:213)
  at weblogic.servlet.security.internal.FormSecurityModule.checkAccess(FormSecurityModule.java:96)
  at weblogic.servlet.security.internal.ChainedSecurityModule.checkAccess(ChainedSecurityModule.java:79)
  at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:82)
  at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2213)
  at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
  at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
>

Note, I did not provide HSD config or DOMAIN_HOME in the authenticator (to oppose the execution of the code in eclipse), run from the other area (probably not a good idea to change DOMAIN_HOME).

Now the questions:

1. advice on how to create the custom authenticator and make it work? IT seems that is missing a dependency. How do I provide all dependencies?

2. perhaps there is already an authenticator can I download/use? I tried to copy OIMAutheticator that comes with the installation of the IDM. When I deployed in WebLogic BI it did not work properly (exceptions of mass).

I was unable to run my custom authenticator who used libraries of IDM to authenticate in the domain BI Publisher. So I ended up with 2 different solutions and both work:

1. I created another external application (jar file) used only to decrypt the passwords comes from idm using jdbc. Then I call the pot of my previously set authenticator - DDOMAIN_HOME pointing to IDM. In this way, the service of IDM is not required to run.

2 OimClient is capable of recovering passwords of idm in regular form. Follow this link to learn more: Oracle stack: OIM 11 g R1: Getting IOM decrypted password for user

Also be sure to create appropriate inside Enterprise Manager groups and their assigned custom roles as authenticators custom work only on WlsGroupImpl, WlsUserImpl.

Tags: Fusion Middleware

Similar Questions

  • Firefox has disabled arbitrarily IDM cc which worked fine for months, how can I reinstall it I won't stop using Firfox if I can't use IDM.

    Firefox has arbitrarily disabled the IDMcc even if I used it several times a day for months with no problems. I want to reinstall IDM and use it. If I can't I will stop using Firefox and come back to IE. I prefer to stay with Firefox, but I won't be using a browser that doesn't let me use IDM which worked very well.

    == I reloaded Firefox I told what IDM has been disabled


  • Are all Thinapp were compatible applications for deployment using IDM/workspace?

    Hello

    First of all, excuse my knowledge using IDM. I thinapp had a number of successful applications and work a treat at the launch, they have problems with some when rebuilt to use IDM for deployment. These thinapp'd deliver applications on the local desktop (folder C:\ProgramData\VMware\Identity Manager Desktop\thinapp) but fail to run correctly. MobaXterm 9 is an example of an application. My understanding is that, if a thinapp had starts and works correctly, it should be no different when sent via IDM, right?

    Environment:

    Windows 8.1 desktop x 64

    ThinApp 5.1

    IDM customer 2.4.1 - 3411811

    Thanks in advance.

    Jason

    OK, vIDM should not affect packaged with ThinApp application launch. But if you've found a case where it does please file a support ticket with the VMware Support. We need to take a look, thus interfering...

  • Error message when I publish using business catalyst

    I get an error message when I publish using business catalyst.  Catalyst to say online system works very well.  What can I do?

    Well it started to work again... Yes!

  • Authentication LDAP BI publisher

    Hello

    I try to activate the AD for BI publisher authentication. I tried most of the possible LDAP configuration settings. But when I try to connect, it throws the following error.

    The server cannot be used because of a configuration error, please contact the administrator. If you are the administrator, please see the BI Publisher user guide for the correct configuration.
    Detail of the error

    Previous

    oracle.apps.xdo.security.ValidateException

    Should I create the roles of BI Publisher in the LDAP server for authentication LDAP for BI publisher.

    Kindly let me know if anyone have solution for the same.

    Thank you and best regards,
    Rajesh J

    Edited by: sj_rajesh may 18, 2010 16:49

    Here is an example of an LDAP with ADSI integration:
    http://gerardnico.com/wiki/dat/BIP/ldap_adsi

    And Yes, you must create the group in the LDAP directory. They are imported when the Beeping starts.

    See you soon
    Nico

  • BI Server uses LDAP and BI Publisher uses BI server auth - can this work?

    Hello

    I've set up OBI EE BI Server to use our MS Active Directory LDAP repository for authentication purpose. It works perfectly.

    On the other hand BI Publisher is configured to use the BI server authentication. I can see that groups XMLP * here, but obviously there are has no users defined in the BI server to add their!

    The reason why I want to use this configuration is that it's another Department who is responsible for the maintenance of the AD and it would make things easier if we could maintain access BI Publisher ourselves, through the BI tool admin server.

    Something tells me that's not possible, but I was wondering if there is any workaround or tip for this problem?

    Thank you
    Luis

    With ADSI, you cannot import users and groups. You then create an initialization of variable session with an external table:

    See an example here:
    http://obieeblog.WordPress.com/2009/06/18/OBIEE-security-enforcement-%E2%80%93-external-database-table-authorization/

    See you soon
    Nico

  • Black screen in movies published using Windows Movie Maker

    I used Movie Maker successfully in the past, but when I try to publish my last movie, the screen goes black in half way through the final film. The audio is not yet, but there is no video.

    I don't think it's a codec issue, I've created many other movies that play with success and I didn't do anything differently this time. Source clips are in .avi format - as they have always been in the past.

    I've seen many other people reporting this problem on various forums, but no one has offered a viable solution. One person mentioned with audio mute on the clips, but none of my videos have their audio muted.

    Any suggestions?

    Thanks in advance.

    Thanks for the suggestion, but as I said, I did this several times without any problems before using exactly this type of file format, so I don't think it's a compatibility issue. And the film works very well for the first half, using clips with the same format from the same source, then why don't the compatibility cut to half way through?

    My guess is that it has something to do with the number of clips in the movie - Movie Maker is just panicking because there are too many things to deal with. I've got round in cutting the film into two halves, publishing the two halves, in re-importing them in Movie Maker, and then stirching support them all. This is not the solution the more satsifactory, but at least it works.

  • Two factor authentication to cisco anyconnect using certificates

    I plan to factor authentication two configuration, and intend to buy thawte Certificate, but need help to choose which certificate do I need to buy. Can I purchase a code signing ssl certificate and use it to two-factor authentication? If this is not the case, what should I buy and what is the procedure?

    Concerning

    NH

    Hi, NH,

    I see that you have authentication two factor for customers who connect to your network by using AAA + certificates head.

    I also see that you are looking to get the signed certificate from Thawte.

    > In two authentication factors in your scenario, the client when the connection must present the name of user and password and a client certificate to complete the authentication.

    > You can get the client signed any Public certificate authority (CA) certificate.

    > The certificate with the key usage extension attribute value, such as the authentication of the Client can only be used by the client during client certificate authentication.

    > If extended key usage does not 'Authentication of customer' as one of its value then this certificate cannot be used for authentication of the client certificate.

    > Now, once you get the client certificate and installed it on the post, and currently the head of network during authentication may fail once again validating the certificate of the network head as it is necessary that the head of network must have the certificate root certificate Client installed in his store of Certificate Authority (CA).

    Kind regards

    Nouredine Sethi

  • RADIUS authentication for the switch using ISE

    Hi guys,.

    Someone did he do Radius Authentication for switch cli connection using ISE?

    We did it in our environment with ISE, but it is a challenge to give read-only access / Priv-1.

    If some users know the enable password, they can use and earn full privilege.

    Anyway to get around this other than to change the enable password?

    We have thousands of switches and won't change on each of them.

    If you have another method please advice.

    Thank you in advance.

    Well, you can set the "enable" function also be controlled via the AAA server with the following command:

    AAA authentication enable... This way server AAA will be checked for authentication for the secret to activate and use the local database as a last resort

    I hope this helps!

    Thank you for evaluating useful messages!

  • Authentication MAC with Wirelss using WPA

    I have some wireless work stations that are setup place as booth were I work. I want these laptops to make a connection with my 4.2 ACS SE to establish the secure connection to the background (using WPA). Then user with network valid logon credentials using windows credential. I couldn't get this to work. can someone help me?

    Thank you

    Mike

    Please check the docs of peap that explains about the PEAP authentication setting.

    Kind regards

    ~ JG

    Note the useful messages

  • Authentication IPsec VPN Client using the digital certificate

    Hello

    Please I need some clarification and help to set up my ASA 5540 with IOS 8.3 x for client certificate authentication remote.

    I have my certificate root from the Microsoft CA, but not quite sure if the steps described in the following cisco Web sites are exactly what I need since the firewall seems to generate the certificate to use.

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080930f21.shtml

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008073b12b.shtml

    My setup is such that the CA will issue certificates to remote clients and the ASA firewall, and remote clients will authenticate and connect with their certificates which the firewall is constantly updating using the Revocation list updated by the certification authority.

    The dhcp pool must be issued by the DC inside network and not on the firewall.

    Are there any examples or best practices to achieve steps will be really appreciated.

    Thank you

    Hi Josh,.

    Let me explain briefly how Auth PKI:

    In a public key infrastructure configuration, devices trust not each other directly, but they have a certification authority, which is the one who issues the certificate. We call this root CA (there may be a more complex configuration WHERE intermediate are involved, but that's another story). So when the root CA issues a certificate, he signs it with its private key. To be able to verify this signature, we should have the CA public key, which is included with the certification authority.

    So for certificate authentication, you must create a trustpoint, that defines the parameters of the root certification authority.

    Then you will authenticate this trustpoint, which basically means that you will get the certificate of the root CA and store locally.

    After that, you sign up to this CA, which means that you will ask for (and get) your own certificate.

    Other users will do the same and have the same root CA Cert, but different personal (identity) certificates.

    So what happens on authentication is that both ends send their certificate to the other, and they will use the public key contained in the root CA to validate the signature of the certificate received from the remote peer. If the signature is correct, this means that the certificate authority root actually issued the certificate, and this remote peer can be trusted (or not)

    Hope this is clear.

  • Whenever I am trying to download the youtube video using idm button at the bottom of website, e0x80029c4a error.

    Original title: error e0x80029c4a

    Hello. I use Windows 7 64-bit. My problem is when I'm trying to download the youtube video using the idm at the bottom of the site, the Dungeon of e0x80029c4a error is displayed. So how to solve this problem?

    Hi Kukuki,

    It's probably a problem with Internet Download Manager.

    If you have reinstalled the program and the problem still persists, you may have Internet Download Manager contact for assistance: http://www.internetdownloadmanager.com/support/index.html

  • XLS-models with BI Publisher using and download the reports with APEX

    Hello

    I already create PDF reports with RTF Templates. In the APEX, I create a button and a process of "Download" to get the PDF-reports the BI Publisher. ". We use version 11.1.7.

    Now I try the same thing with XLS-Templates. I create the XLS model in the editor of BI and where it works very well. Now I need also an APEX-"Download" - Process to download the XLS reports to the client. The method already used doesn't work for RTF models.

    Kind regards

    Mark

    Hello

    I found here, the format has value "excel", not "xls"!

    http://docs.Oracle.com/CD/E28280_01/doc.1111/e26693/ibr_config.htm#WCCAA2062

    Now it works like a charm!

    Kind regards

    Mark

  • "Peer not authenticated" with RDS by using SSL configuration

    We have a remote ColdFusion 11 server, and I'm trying to configure ColdFusion Builder 3 on a Windows 7 computer.  I have this connection RDS in HomeSite with a SIMILAR configuration, but I get a "peer not authenticated" error in ColdFusion Builder on the same computer, the connection to the same server with HomeSite with success.

    I have seen references to AdminServerComponents_WWEJ.zip and have that downloaded and installed the files in ColdFusion11, but when I run 'adminstart' I get:

    'jrun' is not recognized as internal or external, command an executable program or batch file.

    There is no "jrun.exe' on this server.  So can I assume that this folder and the procedure are not necessary for ColdFusion 11?

    I can't find all the answers anywhere on how to get this working with ColdFusion 11...

    Thanks for any help, that all the world can offer.  -bg

    After a very successful remote with Charlie session (including diagnostics and troubleshooting skills are beyond amazing), we got this sorted out.  It seems that HomeSite approve the SSL certificate on the web server, but ColdFusion Builder does not work.

    We had export the SSL certificate of the website (external) that we used as RDS host (save it in a .cer file) and import it into the certificate of ColdFusion Builder (C:\ColdFusionBuilder3\jre\lib\security\cacerts) store on my PC running ColdFusion Builder using the keytool JDK program.

    Problem solved.  I couldn't EVEN understand it on my own...

    Thank you, Charlie!

  • How to hide a line in BI Publisher using conditional formatting

    Hello

    I use BI Publisher 11.1.1.5.0.

    I need to hide the entire row based on the condition (if sal > 0 then hide entire line), please can you help on how can I achieve this?

    Thank you

    Hello

    I found the solution in

    Designer's Guide to reports for Oracle Business Intelligence Publisher version 11 g (11.1.1) Réf. E13881-02 - conditional formatting of the Section.

    Thank you

Maybe you are looking for