Oracle® Enterprise Manager Cloud Control Advanced Installation and Configuration Guide 12c Release 2 (12.1.0.2) Part Number E24089-17 |
|
|
PDF · Mobi · ePub |
Oracle Business Intelligence (BI) Publisher is Oracle's primary reporting tool for authoring, managing, and delivering all your highly formatted documents. BI Publisher ships standard with Enterprise Manager Cloud Control 12c.
IMPORTANT:
Only BI EE 11.1.1.6.0, which contains BI Publisher 11.1.1.6.0, is supported for use with Enterprise Manager 12c Cloud Control Release 2 (12.1.0.2.0).WARNING:
Do NOT attempt to install BI EE 11.1.1.6.0 onto Enterprise Manager 12c Cloud Control Release 1 (12.1.0.1.0)This chapter covers the following topics:
Post-Upgrade Steps to take after upgrading to BI Publisher to 11.1.1.6.0
EMBIP* Roles: Granting Access to Folders and Catalog Objects
Managing Enterprise Manager - BI Publisher Connection Credentials
In order to integrate BI Publisher with Enterprise Manager 12c, BI Publisher is installed separately, but shares the same Middleware home, as Enterprise Manager. This installation is performed using the standard Business Intelligence Enterprise Edition 11.1.1.6.0 installation that is specific to the platform on which Enterprise Manager is installed. BI Publisher is then integrated into the same WebLogic Server domain as Enterprise Manager using the configureBIP script. Once configured, you will be able to take advantage of the standard features BI Publisher offers, such as:
Highly formatted, professional quality, reports, with pagination and headers/footers.
PDF, Excel, Powerpoint, Word, and HTML report formats.
Develop your own custom reports against the Enterprise Manager repository (read-only repository access).
Integration with Enterprise Manager Security.
Grant varying levels of BI Publisher functionality to different Enterprise Manager administrators.
Use BI Publisher's scheduling capabilities and delivery mechanisms such as e-mail and FTP.
Note:
The Information Publisher (IP) reporting framework, though still supported in Enterprise Manager 12c Cloud Control, was deprecated as of Enterprise Manager 12c release 12.1.0.1. No further report development will occur using the IP framework.The following are limitations apply to the use of reports and data sources.
Out-of-box reports cannot be edited.
If Out-of-box reports are copied, there is no guarantee that the copies will work with future product releases.
Only Oracle Business Intelligence (BI) Publisher version 11.1.1.6.0 can be used with Enterprise Manager 12c Cloud Control Release 2 (12.1.0.2) .Versions of Business Intelligence Publisher older than 11.1.1.6.0 are not compatible with Enterprise Manager Cloud Control Release 2 (12.1.0.2). You can download Oracle Business Intelligence Publisher version 11.1.1.6.0 directly from the Enterprise Manager Cloud Control download Web site.
http://www.oracle.com/technetwork/oem/grid-control/downloads/index.html
See the link titled Oracle Business Intelligence Publisher 11.1.1.6.0.
Determining BI Publisher Platform Support
To determine whether your software platform is supported by BI Publisher, refer to Chapter 2: System Requirements and Certification of the Oracle® Fusion Middleware Quick Installation Guide for Oracle Business Intelligence 11g Release 1 (11.1.1) for BI EE system requirements.
For system requirements and certification information, refer to the Oracle Business Intelligence chapter in the Oracle Fusion Middleware Release Notes for your platform. The documents are available on Oracle Technology Network (OTN) at the following location:
http://www.oracle.com/technetwork/indexes/documentation/index.html
The following procedures assume that you are familiar with both BI Publisher and Enterprise Manager. Refer to the Oracle Enterprise Manager Basic Installation Guide and the Oracle Enterprise Manager Advanced Installation and Configuration Guide for detailed information about Enterprise Manager.
Both Enterprise Manager and BI Publisher must be installed with a centralized inventory file. This means that /etc/oraInst.loc
(or the Windows registry) points to the same directory for both installs. Although it is possible to install both products with an inventory file specific to each product, this configuration is not supported and will not allow complete integration between Enterprise Manager 12c and BI Publisher 11g.
In order to support the required resources for BI Publisher, the first OMS system (where BI Publisher is initially installed) needs the following additional system requirements above and beyond what is already required by Enterprise Manager:
+1.5 GB of RAM
+10 GB of disk space
Any additional OMS(s) that is added to the domain, after BI Publisher has been installed on the first OMS, will also require an additional 10 GB of disk space.
For additional resource requirements, see the following support note:
How to Determine the Number of Servers Needed to Run BI Publisher Enterprise in a Production 10g or 11g Environment? (Doc ID 948841.1)
Installing Plug-in-Specific Reports: Some Enterprise Manager-provided BI Publisher reports belong to specific plug-ins. These plug-ins must be installed in order for these reports to be available. A plug-in can be installed before or after BI Publisher is configured to work with Enterprise Manager 12c. Enterprise Manager plug-ins can be installed using different mechanisms. All of these mechanisms support the installation of BI Publisher reports that are part of a plug-in.
Note:
Refer to the Oracle Enterprise Manager Basic Installation Guide for complete installation specifics.Note:
The BI EE Software-only Install instructions apply in the case of a new installation or in the case of an upgrade from 12.1.0.1 to 12.1.0.2 where 12.1.0.2 has been installed into a new Fusion Middleware Home.As mentioned at the beginning of this chapter, ONLY Oracle Business Intelligence Enterprise Edition 11g 11.1.1.6.0 can be used to integrate with Enterprise Manager 12c Release 2 (12.1.0.2)). No other product combination is compatible.
Integrating BI Publisher with Enterprise Manager requires changing the domain configuration and the Middleware home used by the Oracle Management Service. Backing up the entire Enterprise Manager Oracle Management Service installation ensures that you can recover the OMS in the event that errors occur during installation and configuration of BI Publisher.. For instructions on performing OMS backup, see the "Backing up Enterprise Manager" chapter of the Oracle® Enterprise Manager Cloud Control Administrator's Guide. Go to the section Oracle Management Service Backup.
Once the correct version of Business Intelligence Enterprise Edition 11g is downloaded, and the OMS backup has been performed, perform a software-only install of BI Enterprise Edition using the following steps:
Run the BI Enterprise Edition Publisher Installer:
Linux/UNIX: Disk1/runInstaller
Windows: Disk1/setup.exe
Note:
Insure that you use the correct media or download for BI EE 11.1.1.6.0.Note:
Insure that you use the correct media or download for BI EE that is appropriate for your hardware and operating system platform.(Optional) Choose E-Mail address for updates and click Next.
VERY IMPORTANT: Choose Software-only Install.
Click Next. Prerequisite checks will run.
After passing the prerequisite checks, click Next.
Choose the Middleware home of your Enterprise Manager installation. This is the Middleware home that you created previously.
BI Oracle home name must be left as the default Oracle_BI1. Click Next.
(Optional) Enter My Oracle Support (MOS) credentials to be notified of any security updates. Click Next.
When the software-only install of BI EE completes successfully, proceed to Integrating BI Publisher with Enterprise Manager using the configureBIP Script.
Integrating BI Publisher with Enterprise Manager requires changing the domain configuration. However, you must first back up the domain in case configuration problems occur. File permissions for the domain must be maintained when creating a backup, therefore the ZIP utility is the preferred mechanism to do so. For example:
cd <Instance-Home>/user_projects/domains zip -r GCDomain.zip GCDomain
IMPORTANT:
The configureBIP script must be run as the same operating system user who owns the Oracle Middleware Home.DO NOT run configureBIP as the Unix Super User (root).
There are two scenarios in which you would run configureBIP:
For both the fresh install and upgrade scenarios, in order to install and integrate BI Publisher 11.1.1.6.0 with Enterprise Manager 12c Release 2 (12.1.0.2), it is first necessary to do a software-only install of BI Enterprise Edition 11.1.1.6.0. However, when running the configureBIP script, there are additional command-line arguments that are necessary in the upgrade scenario.
Scenario 1: Fresh install of 12.1.0.2
The fresh install case is used when either of these conditions are met:
You are installing or upgrading to Enterprise Manager 12c for the first time. You did not have Enterprise Manager 12c Release 1 (12.1.0.1) installed previously.
You are upgrading to Enterprise Manager 12c Release 2 (12.1.0.2) from Enterprise Manager 12c Release 1 (12.1.0.1) and you had not previously installed and integrated BI Publisher 11.1.1.5.0 with Enterprise Manager 12c Release 1 (12.1.0.1).
Scenario 2: Upgrade from 12.1.0.1 to 12.1.0.2
Use the configureBIP script in upgrade mode if both of the following conditions are true:
You have already upgraded Enterprise Manager 12c Release 1 (12.1.0.1) to Enterprise Manager 12c Release 2 (12.1.0.2).
The previous installation of Enterprise Manager 12c Release 1 (12.1.0.1) had been integrated with BI Publisher 11.1.1.5.0.
Regardless of whether you run the configureBIP script in normal mode or upgrade mode, the script requires the following credentials in order to operate:
An Oracle account with SYSDBA privilege; normally the SYS account.
The database password for this account.
The WebLogic Admin Server password.
The Node Manager password.
Make sure to gather the above credentials before proceeding.
Both the normal mode and upgrade mode of configureBIP are discussed in detail in the following two sections. Be sure to operate the configureBIP script in the appropriate mode for your installation scenario.
From the OMS instance's ORACLE_HOME/bin directory (of the current Enterprise Manager 12c Release 2 (12.1.0.2) installation), execute the configureBIP script from the command line. For example:
cd /oracle/EM12cR2/middleware/oms/bin ./configureBIP
The script prompts for the necessary credentials.
The script executes the Repository Creation Utility (RCU), since this is normal mode, to create the BI Publisher database schema.
The script prompts for two inputs for the port(s) to use for the BI Publisher Managed Server: One port for non-SSL (not recommended) and one port for SSL.
The script then performs the extend-domain operations.
The last step the script performs is to deploy the Enterprise Manager-supplied BI Publisher Reports to the newly installed BI Publisher Web application.
Confirm that you have backed up your domain by answering the confirmation prompt with YES.
Enter a database user with SYSDBA privileges (typically SYS), and then enter the password (Enterprise Manager Repository database).
Enter the adminserver and then the nodemanager password. These accounts are part of Enterprise Manager WebLogic Domain.
Script Operation - Normal Mode (RCU):
Since you are installing BI Publisher for the first time, the schema will be created. You should see the something like the following output:
Checking for SYSMAN_BIPLATFORM schema... Attempting to create SYSMAN_BIPLATFORM schema... Processing command line .... Repository Creation Utility - Checking Prerequisites Checking Global Prerequisites Repository Creation Utility - Checking Prerequisites Checking Component Prerequisites Repository Creation Utility - Creating Tablespaces Validating and Creating Tablespaces Repository Creation Utility - Create Repository Create in progress. Percent Complete: 0 Percent Complete: 10 Percent Complete: 30 Percent Complete: 50 Percent Complete: 50 Percent Complete: 100 Repository Creation Utility: Create - Completion Summary Database details: Connect Descriptor: jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=host.com)(PORT=1521)))(CONNECT_DATA=(SID=orcl))) Connected As: sys Prefix for (prefixable) Schema Owners : SYSMAN RCU Logfile: .../middleware/oms/cfgtoollogs/bip/emBIPLATFORM.log Component schemas created: Component Status Logfile Business Intelligence Platform Success .../middleware/oms/cfgtoollogs/bip/biplatform.log Repository Creation Utility - Create : Operation Completed
You will then be asked to enter BI Publisher HTTP and HTTPS (SSL) ports (either one or both). The script will identify free ports and ask if you want to take them as a default. Once entered, Extend Domain will then run. The ports can be in the range 9701-49152. Default port numbers are provided.
The Enterprise Manager-supplied BI Publisher Reports will be deployed to the newly installed BI Publisher Web application.
Once processing is complete, screen output similar to the following will be shown:
Extending domain with BI Publisher. This may take a few minutes... BI Publisher server running at https://host.com:9701/xmlpserver. Registering BI Publisher with Enterprise Manager and deploying reports... Successfully setup BI Publisher with Enterprise Manager
From the OMS instance's ORACLE_HOME/bin directory (of the current Enterprise Manager 12c Release 2 (12.1.0.2) installation), execute the configureBIP script with the -upgrade command-line argument. For example:
cd /oracle/EM12cR2/middleware/oms/bin ./configureBIP -upgrade
The script prompts for the necessary credentials.
The script prompts for the full directory path to the domain of the prior Enterprise Manager 12c Cloud Control Release 1 (12.1.0.1) installation. This installation already contains BI Publisher 11.1.1.5.0 report definitions and certain configuration data.
The script then executes the Patch Set Assistant (PSA) steps to upgrade the BI Publisher database schema, since this is an upgrade from a prior release of the BI Publisher.
The script prompts for two inputs for the port(s) to use for the BI Publisher Managed Server. One port for non-SSL (not recommended) and one for SSL.
The script then performs the extend-domain operations, but does not start the BI Publisher Managed Server.
The script migrates the reports and certain configuration data from the prior installation of BI Publisher 11.1.1.5.0 that was installed onto Enterprise Manager 12c Release 1 (12.1.0.1).
The script then starts the BI Publisher Managed Server.
The last step the script performs is to deploy the Enterprise Manager-supplied BI Publisher Reports to the newly installed BI Publisher Web application.
Note:
During an upgrade of BI Publisher 11.1.1.6.0 onto Enterprise Manager 12c Release 2 (12.1.0.2), the existing BI Publisher 11.1.1.5.0 schema will be upgraded from 11.1.1.5.0 to 11.1.1.6.0. This means that when performing an upgrade, all existing BI Publisher schedules will be carried over to the new installation of BI Publisher 11.1.1.6.0Optional: If your BI Publisher file system-based repository is in a shared storage location from the prior install, and you also want to continue to use this shared location for the new install, then the report and configuration migration performed in step 6 above is not required. In this situation, you can run configureBIP using the following syntax:
./configureBIP -upgrade -nomigrate
Confirm that you have backed up your domain by answering the confirmation prompt with "yes".
Enter a database user with SYSDBA privileges (typically 'sys'), then enter the password. (Enterprise Manager repository database).
Enter the adminserver and then the nodemanager password. These accounts are part of Enterprise Manager WebLogic Domain.
Enter the full directory path to the domain from the Enterprise Manager 12c Release 1 (12.1.0.1) installation. For example:
/oracle/em12cR1/middleware/gc_inst/user_projects/domains/GCDomain
When executing the script on a Windows operating system, use double-backslashes to separate directory entries. For example:
C:\\EMInstall\\middleware\\gc_inst\\user_projects\\domains\\GCDomain
The patch set assistant then runs to upgrade the BI Publisher schema. Output similar to the following will be generated.
Upgrading from a prior release of BI Publisher With a file-system repository Located at: /oracle/em12cR1/middleware/gc_inst/user_projects/domains/GCDomain Checking for SYSMAN_BIPLATFORM schema... Attempting to upgrade SYSMAN_BIPLATFORM schema... EM 12c BIPLATFORM 11.1.1.5.0 schema detected. Begin upgrade process to 11.1.1.6.0 ... Begin to execute Oracle Fusion Middleware Patch Set Assistant (PSA) ... PSA returns with status: 0 Successfully upgraded SYSMAN_BIPLATFORM schema...
You will then be asked to enter BI Publisher HTTP and HTTPS (SSL) ports (either one or both). The script will identify free ports and ask if you want to take them as a default. The ports can be in the range 9701-49152. Defaults are provided. Once entered, Extend Domain will run, but the BI Publisher Managed Server will not be started until step three.
Certain reports and configurations from the BI Publisher 11.1.1.5.0 installation will be migrated (unless the "-nomigrate" option was supplied on the command-line).
The BI Publisher Managed Server will be started
The Enterprise Manager-supplied BI Publisher Reports will be deployed to the newly installed BI Publisher Web application.
Once processing is complete, screen output similar to the following will be generated.
Extending domain with BI Publisher. This may take a few minutes... Migrating BI Publisher Filesystem repository from "/oracle/em12cR1/middleware/gc_inst/user_projects/domains/GCDomain /config/bipublisher/repository" to "/oracle/emNewInstall/middleware/gc_inst/user_projects/domains/GCDomain /config/bipublisher/repository"... Starting the Upgraded BI Publisher Managed Server... BI Publisher server running at https://host.com:9704/xmlpserver. Registering BI Publisher with Enterprise Manager and deploying reports... Successfully setup BI Publisher with Enterprise Manager
Log in to Enterprise Manager as a Super Administrator.
From the Enterprise menu, select Reports and then BI Publisher Enterprise Reports.
Prior to BI Publisher being integrated with Enterprise Manager, the BI Publisher Reports page appears as follows:
Once BI Publisher has been integrated with Enterprise Manager, you may have to click the refresh icon at the top right of the Enterprise Manager window (highlighted in the previous graphic) in order for the UI to reflect the changes.
Enterprise Manager displays a tree list showing all of the Enterprise Manager- supplied BI Publisher reports as shown in the following graphic
This graphic shows the list of reports after all plug-ins have been installed. The report list will vary in size depending on the number of plug-ins that have been installed.
Click on the provided EM Sample Reports and the select Targets of Specified Type.
Log in to BI Publisher using your Enterprise Manager credentials.
You will see the sample report rendered on the screen. You can then use the full capabilities of BI Publisher such as PDF report generation and e-mail delivery.
BI Publisher shares the same security model, via WebLogic, that Enterprise Manager is configured to use. The security model is used both for authenticating access to BI Publisher, and also setting up access to different features of BI Publisher. The items to be discussed in the following sections are:
Once integrated, BI Publisher reports conform to the Enterprise Manager authentication security model.Enterprise Manager supports a variety of security models, as defined in the Oracle® Enterprise Manager Cloud Control Administrator's Guide (Configuring Security). To summarize, the security models that Enterprise Manager 12c supports are:
Repository-Based Authentication
Oracle Access Manager (OAM) SSO
SSO-Based Authentication
Enterprise User Security Based Authentication, with 2 options
LDAP Authentication Options: Oracle Internet Directory and Microsoft Active Directory
When BI Publisher is integrated with Enterprise Manager, it shares the same security model as Enterprise Manager. Security Model 1 - Repository-Based authentication, uses the Oracle database for authentication. The remaining 4 security models use an underlying LDAP server to authenticate users. For the purposes of this document, we classify the BI Publisher security model into one of these two categories:
Repository-Based Authentication
Underlying LDAP-based Authentication
The primary security attributes that apply to BI Publisher Reports are:
Each of these security attributes is detailed in the following sections.
Enterprise Manager ships with certain Oracle-provided BI Publisher catalog objects. These catalog objects consist of:
Folders
Reports (layout definitions and translations)
Datamodels (SQL queries against the Enterprise Manager repository)
Subtemplates (standard Enterprise Manager header shown above all pages of all report output)
These catalog objects are created when BI Publisher is installed and integrated with Enterprise Manager. They are placed in the "Enterprise Manager Cloud Control" folder. These catalog objects are created with certain permissions that, combined with the roles/groups discussed below, achieve the desired security model.
The domain policy store (OPSS) is used to control Enterprise Manager administrator access to objects in the BI Publisher catalog and conditional access to the BI Publisher "Administration" button.
OPSS is the repository of system and application-specific policies. Details regarding OPSS can be found in the Oracle® Fusion Middleware Application Security Guide. In a given domain, there is one store that stores all policies (and credentials) that all applications deployed in the domain may use. As both Enterprise Manager and BI Publisher are separate applications in the same domain, it is necessary to grant specific BI Publisher OPSS application roles to Enterprise Manager administrators in order for them to access and use BI Publisher.
When BI Publisher is installed, four OPSS application roles are created. These four OPSS application roles are combined with the permissions on the BI Publisher catalog objects in the "Enterprise Manager Cloud Control Folder" to achieve the rules shown in the following sections. In addition, when the underlying LDAP authentication security model is used, the LDAP groups can be mapped to these OPSS application roles.
In the Repository-based authentication security model, the domain policy store (OPSS) is used solely to control Enterprise Manager administrator's access to BI Publisher.
Below is a list of the OPSS application roles, and a description of the effective security model placed on BI Publisher catalog objects that ship with Enterprise Manager.
None - Enterprise Manager administrators without any BI Publisher role can access BI Publisher Reports via any delivery channel that BI Publisher supports, and that has been configured and made accessible the BI Publisher System Administrator. For example, any user can receive BI Publisher Reports via the BI Publisher scheduling and e-Mail delivery mechanism, if configured.
EMBIPViewer - Enterprise Manager administrators with this BI Publisher role can receive e-mails plus can view the Enterprise Manager-supplied BI Publisher reports.
EMBIPScheduler - Enterprise Manager administrators with this BI Publisher role can receive e-mails and can schedule the Enterprise Manager-supplied BI Publisher reports if they also have the EMBIPViewer role.
EMBIPAuthor - Enterprise Manager administrators with this BI Publisher role can receive e-mails, view the Enterprise Manager-supplied BI Publisher reports, and can create new reports in their private folder. They can also copy the Enterprise Manager-supplied BI Publisher reports into their private folder and customize them.
EMBIPAdministrator (Super Users) - Enterprise Manager administrators with this BI Publisher role have complete access to BI Publisher.
The following diagram shows the hierarchy of the above roles:
Note:
Access to the BI Publisher "Administration" button is granted via the OPSS application role. This button is used to perform advanced configuration on BI Publisher, such as setting up the e-mail server.Enterprise Manager Super Administrators
When the repository-based authentication security model is used, all Enterprise Manager Super Administrators are automatically granted the EMBIPAdministrator OPSS application role to facilitate setting up BI Publisher.
When an underlying LDAP authentication security model is used, Enterprise Manager Super Administrators are not automatically granted EMBIPAdministrator access to BI Publisher. See Section 16.x for more information on allowing access to BI Publisher for Enterprise Manager Administrators in an underlying LDAP-based Authentication security Model environment.
Granting the previously discussed four OPSS application roles is somewhat different depending on the BI Publisher security model that is in place. To review, the 2 security models that BI Publisher supports are:
Repository-Based Authentication
Underlying LDAP-based Authentication
wlst.sh can be used to grant access to the BI Publisher to Enterprise Manager administrators. The following wlst.sh usage example demonstrates using wlst.sh to grant VIEW access to the Enterprise Manager administrator named "JERRY" (italicized items are entered at the command-line). It is important to use uppercase letters for Enterprise Manager Administrator names.
Note:
If you have just upgraded to BI Publisher 11.1.1.6.0 on Enterprise Manager 12c Release 2 (12.1.0.2) from a prior installation of BI Publisher 11.1.5.0 on Enterprise Manager 12c Release 1 (12.1.0.1), all of your prior OPSS application grants are carried over from the prior installation. It is not necessary to grant access to BI Publisher to specific Enterprise Manager administrators that had already been granted access. In order to grant access to additional, or revoke access from existing, Enterprise Manager administrators, this step is still required.To run the script:
Connect to the Administration Server over the t3s protocol using the connect()
command. The command takes three arguments:
Username: Always 'weblogic'.
Password: This is the password that you used when you setup Enterprise Manager 12c Cloud Control.
Protocol: t3s (ssl), the host, and the port. These are the values for the WLS Administration Server. The port number is the same port number that you use when you connect to the WLS Administration Console in a browser. For example: https:<host>:<port>/console)
.
Grant EMBIP* role(s) to individual Enterprise Manager 12c Cloud Control administrators. Administrator "JERRY" is used in this example.
$MW_HOME/oracle_common/common/bin/wlst.sh [linux] wlst.cmd [windows] ... ... Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands wls:/offline> connect('weblogic','<pw>','t3s://host:port') ... ... Successfully connected to Admin Server 'EMGC_ADMINSERVER' that belongs to domain 'GCDomain'. wls:/GCDomain/serverConfig> grantAppRole(appStripe="obi",appRoleName="EMBIPViewer",principalClass="weblogic.security.principal.WLSUserImpl",principalName="JERRY") Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root. For more help, use help(domainRuntime) wls:/GCDomain/serverConfig> exit()
Revoking VIEW Access to BI Publisher Reports
In the following example session you revoke VIEW access to BI Publisher reports from user "JERRY" (case is important).
$MW_HOME/oracle_common/common/bin/wlst.sh [linux] wlst.cmd [windows] ... ... Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands wls:/offline> connect('weblogic','<pw>','t3s://host:port') ... ... Successfully connected to Admin Server 'EMGC_ADMINSERVER' that belongs to domain 'GCDomain'. wls:/GCDomain/serverConfig> revokeAppRole(appStripe="obi",appRoleName="EMBIPViewer",principalClass="weblogic.security.principal.WLSUserImpl",principalName="JERRY") Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root. For more help, use help(domainRuntime) wls:/GCDomain/serverConfig> exit()
When changing an Enterprise Manager administrator's BI Publisher access privileges (EMBIPViewer, EMBIPAdministrator, EMBIPScheduler, EMBIPAuthor) the Super Administrator needs to wait 15 or more minutes for the changes to propagate through OPSS and become effective. The change will then be effective the next time the administrator logs into BI Publisher.
Enterprise Manager and BI Publisher are separate applications. When using an underlying LDAP-based authentication model, LDAP groups defined in the external LDAP server can also be used to manage access to BI Publisher. These LDAP groups allow varying levels of access to BI Publisher. Hence, you can add an LDAP user as a member of one or more of these LDAP group and appropriate capabilities of BI Publisher will be exposed. These LDAP groups, which either need to be created or existing ones used, are coordinated with the permissions of the catalog object in the "Enterprise Manager Cloud Control" folder.
In an underlying LDAP-based authentication security model, the following steps are required:
The administrator of the LDAP server needs to use four external groups of any chosen name. These groups need to be grouped hierarchically. Existing groups can be used, or new ones can be created.
Important:
The group names must be all upper-case.Group Name Examples:
EMBIPADMINISTRATOR
EMBIPVIEWER
EMBIPSCHEDULER
EMBIPAUTHOR
The administrator of the LDAP server must then make the additional changes below in order to achieve the necessary hierarchical structure shown in the hierarchy diagram above. For example, using the sample LDAP group names above:
Make EMBIPADMINISTRATOR a member of EMBIPAUTHOR
Make EMBIPADMINISTRATOR a member of EMBIPSCHEDULER
Make EMBIPAUTHOR a member of EMBIPVIEWER
Note:
In LDAP, the terminology and concepts can seem backwards and confusing. For example, you want the EMBIPAUTHORS group to have as a member the EMBIPADMINISTRATORS group.Then, in order to grant access to BI Publisher and its catalog objects, the administrator of the LDAP server needs to make respective LDAP users a members of one or more of the above LDAP groups.
In order to map the four LDAP groups to the OPSS application roles described above, the LDAP groups need to be mapped using wlst.sh.
Note:
If you have just upgraded to BI Publisher 11.1.1.6.0 on Enterprise Manager 12c Release 2 (12.1.0.2) from a prior installation of BI Publisher 11.1.5.0 on Enterprise Manager 12c Release 1 (12.1.0.1), and the names of your LDAP groups have not changed, this step is not necessary, as the prior OPSS application grants are carried over to the new installation.For example, using the LDAP groups above (case is very important):
$MW_HOME/oracle_common/common/bin/wlst.sh [linux] wlst.cmd [windows] ... ... Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands wls:/offline> connect('weblogic','<pw>','t3s://host:port') ... ... Successfully connected to Admin Server 'EMGC_ADMINSERVER' that belongs to domain 'GCDomain'. wls:/GCDomain/serverConfig> grantAppRole(appStripe="obi",appRoleName="EMBIPViewer",principalClass="weblogic.security.principal.WLSGroupImpl",principalName="EMBIPVIEWER") Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root. For more help, use help(domainRuntime) wls:/GCDomain/serverConfig> grantAppRole(appStripe="obi",appRoleName="EMBIPAuthor",principalClass="weblogic.security.principal.WLSGroupImpl",principalName="EMBIPAUTHOR") Already in Domain Runtime Tree wls:/GCDomain/serverConfig> grantAppRole(appStripe="obi",appRoleName="EMBIPScheduler",principalClass="weblogic.security.principal.WLSGroupImpl",principalName="EMBIPSCHEDULER") Already in Domain Runtime Tree wls:/GCDomain/serverConfig> grantAppRole(appStripe="obi",appRoleName="EMBIPAdministrator",principalClass="weblogic.security.principal.WLSGroupImpl",principalName="EMBIPADMINISTRATOR") Already in Domain Runtime Tree wls:/GCDomain/serverConfig> exit()
If you reconfigure your WebLogic Administration to use a custom trust store, then you must also configure BI Publisher accordingly. This also requires the trust store for the OMS to contain the certificate for the BI Publisher-managed server.
In order to use a trusted certificate from a signing authority, create a Java Key Store (JKS) containing the user certificate of BI Publisher server.
Note:
If you use an e-mail server with SSL, you will need to add the e-mail server's certificate to your trust store as well.Please refer to the BI Publisher documentation for instructions on configuring BI Publisher settings.
Common administrative tasks:
Configuring server properties, such as e-mail servers.
When performing an upgrade (using the configureBIP -upgrade command) from Enterprise Manager 12c Cloud Control Release 1 (12.1.0.1) that contains an installed BI Publisher 11.1.1.5.0, to Enterprise Manager 12c Cloud Control Release 2 (12.1.0.2), containing BI Publisher 11.1.1.6.0, you need to perform post-upgrade steps. This is required due to the removal of the underscores on all Enterprise Manager-supplied BI Publisher Catalog objects.
Any schedules associated with the following eight reports must be stopped [note the underscores]
EM_Sample_Reports
Targets_of_Specified_Type
[Chargeback]
Charge_Summary_Report
Charge_Trend_Report
Usage_Summary_Report
Usage_Trend_Report
[Consolidation_Planner]
Consolidation_Reports
[Events reports]
Escalated_Incidents_Report
Incident_History_Report
Top_Events_Report
The following datamodels [note the underscores] should be deleted from the EM_Datamodels folder:
Charge_Summary_Report
Charge_Trend_Report
Consolidation_Reports
Escalated_Incidents_Report
Incident_History_Report
Target_of_Specified_Type
Top_Events_Report
Usage_Summary_Report
Usage_Trend_Report
Delete these folders:
EM_Sample_Reports
Consolidation_Planner
The following reports must be deleted from their respective folders:
[Chargeback]
Charge_summary_report
Charge_trend_report
Usage_summary_report
Usage_trend_report
[Events]
Escalated_Incidents_Report
Incident_History_Report
Top_Events_Report
Any desired schedules from above that were stopped need to be restarted on the new report names without underscores.
By default, the shipping security model (as described in Authenticating and limiting access BI Publisher features, applies to BI Publisher catalog objects that are inside the "Enterprise Manager Cloud Control" folder. This is due to the fact that the catalog objects that exist in this folder are set up with a default set of permissions. See BI Publisher Permissions. BI Publisher catalog objects that are outside of this folder will not automatically contain these same permissions. For example, BI Publisher ships with numerous reports in a shared folder called "Samples". If it is desired to grant access to this folder to Enterprise Manager/BI Publisher users, other than EMBIPAdministrator, it is necessary for a BI Publisher super administrator (EMBIPAdministrator) to change the permissions of this folder. They do so by selecting the folder "Samples" and choosing "Permissions" in the bottom left task bar. They then need to add the four privileges (EMBIPAdministrator, EMBIPViewer, EMBIPAuthor, EMBIPScheduler) and grant appropriate access to that privilege such as VIEW report, run report online, to EMBIPViewer. The administrator can model the appropriate privileges to grant based on any of the shipping Enterprise Manager reports (for example, Targets of Specified Type).
Individual users, who have the EMBIPAuthor OPSS application role, can develop reports in their own private folders. These reports will not be available to other users.
Note:
The shared folder "Enterprise Manager Cloud Control" contains Enterprise Manager-provided BI Publisher Reports and is reserved for such. No custom-developed reports may be added to this folder hierarchy. The default security model that ships with Enterprise Manager specifically prohibits this.Note:
Only reports in the "Enterprise Manager Cloud Control" folder will show up in the Enterprise Manager BI Publisher Enterprise Reports menu (From the Enterprise menu, select Reports, and then BI Publisher Enterprise Reports).If a BI Publisher administrator (EMBIPAdministrator) wishes to create a new shared folder outside of the "Enterprise Manager Cloud Control" folder, they can do so. These reports would not show up in the Enterprise Manager BI Publisher reports menu but would be available to other Enterprise Manager administrators as long as appropriate permissions are granted as previously described.
All BI Publisher reports are granted read-only access to the Enterprise Manager Repository. This access is via the BI Publisher data source named EMREPOS. This access is via the Enterprise Manager user MGMT_VIEW, which is a special internal Enterprise Manager user who has read-only access to the Enterprise Manager Published MGMT$ database views. In addition, when reports are run, they are further restricted to the target-level security of the user running the report. For example, if user JOE has target-level access to "hostabc" and "database3", when user JOE runs a BI Publisher report (any report) he can only view target-level data associated with these two targets.
The following sections provide common strategies that can be used if problems occur with the Enterprise Manager/BI Publisher integration.
It is sometimes necessary to rerun configureBIP if certain error conditions occur. Before attempting to re-run configureBIP, be sure to use the WebLogic console to shutdown the existing BI Publisher managed server.
The following log files can be used to trace problems to their point of origin.
Location: ORACLE_HOME(oms)/cfgtoollogs/bip/*
Creating/upgrading the BI Publisher schema in the database
"emBIPLATFORM.log
"emBIPLATFORMcreate_<date>.log
"biplatform.log
"emBIPLATFORMcreate.err
Extending the Enterprise Manager domain with BI Publisher
"bipca_<date>.log
If BI Publisher is able to run successfully, but BI Publisher registration with Enterprise Manager fails, you can retry the registration by running:
emcli login -username=<admin username> -password=<admin password> emcli sync emcli setup_bipublisher -proto=http[s] -host=<bip_host> -port=<bip_port> -uri=xmlpserver
If a plug-in is installed subsequent to BI Publisher being installed and configured to work with Enterprise Manager, the BI Publisher reports that are part of the plug-in can be deployed from the Enterprise Manager installation to BI Publisher using the following commands:
emcli login –username=sysman Password: <pw> emcli sync emcli deploy_bipublisher_reports –force
This procedure can also be used to restore reports on BI Publisher if they become damaged.
Accessing BI Publisher from Enterprise Manager requires a direct connection between the two products in order to retrieve, display, and manage report definitions. Example: From the Enterprise menu, choose Reports and then BI Publisher Enterprise Reports. A tree view displaying BI Publisher reports within the Enterprise Manager Cloud Control shared folder appears as shown in the following graphic.
The first time you run the configureBIP
script to configure BI Publisher to integrate with Enterprise Manager, a dedicated WebLogic user is automatically created with the requisite credentials solely for the purpose of installation/configuration. Beginning with Enterprise Manager 12c Cloud Control release 12.1.0.1, you can configure these credentials using the EMCTL command config oms
.
emctl config oms -store_embipws_creds [-admin_pwd <weblogic_pwd>] [-embipws_user <new_embipws_username>] [-embipws_pwd <new_embipws_pwd>]
The config oms
command allows you to change the password, and optionally the username, used by Enterprise Manager to access the installed BI Publisher Web Server. Running the config oms
command requires the WebLogic Admin user's password.
Note 1: The config oms
command only changes the user credentials required for the Enterprise Manager - BI Publisher connection. The Enterprise Manager - BI Publisher connection credentials should match the credentials used elsewhere by the user. Example: Enterprise Manager users (database authentication), LDAP users, and WebLogic Server users. Use the corresponding application/console to create or manage the user within the installed credential store.
Note 2: This command is operational only if BI Publisher has been installed.
Note 3: It is not necessary to restart any managed server, such as EMGC_OMSnnnn or BIPnnnn.
Any valid credential that WebLogic supports is acceptable as long as that user also has the EMBIPAdministrators privilege (either in OPSS or LDAP, as appropriate).
Example: You have configured Enterprise Manager to use single sign-on (SSO) (backed by an LDAP credential store). The following steps illustrate the credential update process:
Create the LDAP user. Example: Create EM_BIP_INTERNAL_USER and assign this LDAP user a password such as XYZ123.
Make EM_BIP_INTERNAL_USER a member of the EMBIPADMINISTRATORS LDAP group. For more information about LDAP groups and Enterprise Manager-BI Publisher integration, see Allowing Access to BI Publisher for Enterprise Manager Administrators in an underlying LDAP Authentication security model environment.
Execute the EMCTL config oms
command:
emctl config oms -store_embipws_creds -embipws_user EM_BIP_INTERNAL_USER Oracle Enterprise Manager Cloud Control 12c Release 2 Copyright (c) 1996, 2012 Oracle Corporation. All rights reserved. Enter Admin User's Password: <pw> Enter new password that Enterprise Manager will use to connect to BI Publisher: XYZ123 Successfully updated credentials used by Enterprise Manager to connect to BI Publisher.
If you later change the EM_BIP_INTERNAL_USER password in the LDAP server, you can change the LDAP user's password by executing the config oms
command with the -store_embipws_creds
option. In the following example, the password is changed to ABC123.
emctl config oms -store_embipws_creds Oracle Enterprise Manager Cloud Control 12c Release 2 Copyright (c) 1996, 2012 Oracle Corporation. All rights reserved. Enter Admin User's Password: <pw> Enter new password that Enterprise Manager will use to connect to BI Publisher : ABC123 Successfully updated credentials used by Enterprise Manager to connect to BI Publisher.
BI Publisher operates as a separate, managed server in the same WebLogic domain that contains the OMS(s) and the AdminServer.
In order to shut down the BI Publisher managed server, do the following:
Log in to the AdminServer console as the WebLogic user with the correct password.
Click Servers.
Click the Control tab underneath the text Summary of Servers.
Place a check-mark next to the managed server BIP.
Double-check to make sure the check mark is next to the BI Publisher managed server, as opposed to EMGS_OMS1 or EMGC_ADMINSERVER managed servers.
Click Shutdown and choose when work completes.
Wait until BI Publisher has shut down. You can monitor the status of this operation by clicking on the refresh icon (the two arrows in a circle) above the text Customize this Table.
To start the BI Publisher managed server, do the following:
Navigate to the control page using steps 1-4 above.
Place a check mark next to the managed server BIP.
Double-check to make sure the check mark is next to the BI Publisher managed server and not the EMGS_OMS1x or EMGC_ADMINSERVER managed servers.
Click Start.
Wait until BI Publisher has started. You can monitor the status of this operation by clicking on the refresh icon (the two arrows in a circle) above the text Customize this Table.
If BI Publisher is to be run behind a load-balancer, as detailed in the Oracle® Enterprise Manager Cloud Control Administrator's Guide, issue the following commands after all configuration is complete:
emcli login -username=sysman Password: <sysman_password> emcli setup_bipublisher -proto=https -host=<load_balancer_host> -port=<load balancer port> -uri=xmlpserver -force -nodeploy