Scribd
Upload
55 views9 pages

OBIEE 11g Security Migration - Updated

Uploaded by

kchennup
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
55 views9 pages

OBIEE 11g Security Migration - Updated

Uploaded by

kchennup
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd

OBIEE 11g Security Migration

As part of refresh activity, we perform only below.

1. Export/Import of Users and Groups from Weblogic Console (Identity Store Migration)
2. Export/Import of Roles and Policies in Enterprise Manager (Policy Store Migration)

Note: Refresh doesn’t include any External Security, only native Weblogic security is taken care.

1. Identity Store Migration:


a.

In many cases, we might want to move all the users/groups defined in one environment to the
other. This is called as the Full Migration. Weblogic supports export of the entire LDAP directory.
So, to do an export, we log on to the Weblogic Console and navigate to the Migration tab within
the default security realm (myrealm).

Under the Export tab, specify the directory where you want the users/groups to be exported to and click
on Save
As soon as you save, you should see .dat files created under the directory.

You will notice that it not only exports the users and groups but also the roles and policies. But be aware
that the roles and policies are not BI EE roles and policies. Instead they are the policies specific Admin
Server.
Now to test the import process, created a new security realm called newrealm.

Note: This step is not required as “myrelam” will be present in the Target environment. Newrealm is just
created for testing purpose.

Note: Before Import from source to target, please take export of the target Identity Store. Follow the
same procedure as followed above in source [This is just for backup].

lets navigate to the Migration Section of the myrealm in the target environment and specify the
directory of the exported files.
Click on save

You should get a warning stating that CredentialMapper, XACMLRoleMapper & XACMLAuthorizer
providers are missing. For now we can neglect this error as ideally when you do the migration, it will be
on a realm where BI EE will have all these providers configured by default. So, you should not be getting
these warnings when doing an actual migration into an existing BI EE realm.

But you will notice that users and groups have been imported successfully as we have created the
DefaultAuthenticator provider. So, lets go to the Users and Groups tab of the DefaultAuthenticator
provider in the newrealm.
[Link] Store Migration :

For step 2, i.e. policy store migration, we do not have a migration wizard. The roles/policy get stored in
Weblogic configuration file called ‘[Link]’. We use a WLST utility “migrateSecurityStore”
which basically reads the source and target’s [Link] and kind of merges the information
and updates the target’s [Link]. For this, you need to take a copy of the above file from
source and target and place it in a temporary location on the target server. Copy the attached jps-config-
[Link] to target server’s temporary location, update the source and target server’s jazn file location
and run the migrateSecurityStore command. Check the below,

“[Link]” file location : /sid/admin/user_projects/domains/bi_<sid>/config/fmwconfig

Note: The below lines need to be modified in [Link] attached in the Refresh Document

Source Details :

<serviceInstance name="[Link]" location="/ood_repository/Arriva_Mig/policy_import/prod/[Link]"


provider="[Link]"><description>File Based Policy Store Service Instance</description></serviceInstance>
Target Details:

<serviceInstance name="[Link]" location="/ood_repository/Arriva_Mig/policy_import/dev/[Link]"


provider="[Link]"><description>File Based Policy Store Service Instance</description></ serviceInstance>

bash-4.1$ pwd

/ood_repository/Arriva_Mig/policy_import

bash-4.1$ ls

dev [Link] prod

bash-4.1$ ls dev/

[Link]

bash-4.1$ ls prod/

[Link]

bash-4.1$ /darr63/oraclebi/mwh/Oracle_BI1/common/bin/[Link]

migrateSecurityStore(type="appPolicies", srcApp="obi",
configFile="/ood_repository/Arriva_Mig/policy_import/[Link]", src="sourceFileStore",
dst="targetFileStore", overWrite="false")

Mar 3, 2016 [Link] PM [Link]


migrateAppPolicyData

INFO: Migration of Application Policies in progress.....

Mar 3, 2016 [Link] PM


[Link]$StrictErrorHandler error

WARNING: Invalid xml content was found. cvc-complex-type.2.3: Element 'jpsContext' cannot have
character [children], because the type's content type is element-only. Location: line 36 column 16.

WLS ManagedService is not up running. Fall back to use system properties for configuration.

Mar 3, 2016 [Link] PM [Link]


<init>

WARNING: No identity store associated with policy store found.

Mar 3, 2016 [Link] PM [Link]


clone

INFO: Migration of Application Roles started


Mar 3, 2016 [Link] PM [Link]
clone

INFO: Migration of Application Roles completed in [Link]

Mar 3, 2016 [Link] PM [Link] cloneAttributes

INFO: Migration of Attributes started

Mar 3, 2016 [Link] PM [Link] cloneAttributes

INFO: Migration of Attributes completed in [Link]

Mar 3, 2016 [Link] PM [Link] cloneFunction

INFO: Migration of Functions started

Mar 3, 2016 [Link] PM [Link] cloneFunction

INFO: Migration of Functions completed in [Link]

Mar 3, 2016 [Link] PM [Link] cloneResourceType

INFO: Migration of Resource Types started

Mar 3, 2016 [Link] PM [Link] cloneResourceType

INFO: Migration of Resources started

Mar 3, 2016 [Link] PM [Link] cloneResourceType

INFO: Migration of Resources completed in [Link]

Mar 3, 2016 [Link] PM [Link] cloneResourceType

INFO: Migration of Resource Types completed in [Link]

Mar 3, 2016 [Link] PM [Link] clonePermissionSet

INFO: Migration of Permission Sets started

Mar 3, 2016 [Link] PM [Link] clonePermissionSet

INFO: Migration of Permission Sets completed in [Link]

Mar 3, 2016 [Link] PM [Link]


clone

INFO: Migration of Admin Role Members started


Mar 3, 2016 [Link] PM [Link]
clone

INFO: Migration of Admin Role Members completed in [Link]

Mar 3, 2016 [Link] PM [Link] cloneRolePolicies

INFO: Migration of Role Policies started

Mar 3, 2016 [Link] PM [Link] cloneRolePolicies

INFO: Migration of Role Policies completed in [Link]

Mar 3, 2016 [Link] PM [Link]


clone

INFO: Migration of Grants started

Mar 3, 2016 [Link] PM [Link]


clone

INFO: Migration of Grants completed in [Link]

Mar 3, 2016 [Link] PM [Link]


migrateAppPolicyData

INFO: Migration of Application Policies completed, Time taken for migration is [Link]

Data is migrated to the store. Check logs for any failures or warnings, if logging is enabled.

The above script will update target “[Link]” i.e., in the location
/ood_repository/Arriva_Mig/policy_import/dev

 Copy the above updated file to original target file location


Take a backup of current “[Link]” file

cd <BI Domain Home>/config/fmwconfig

cp -p [Link] system-jazn-data.xml_b4_<RFC>_<DATE>

cd /ood_repository/Arriva_Mig/policy_import/dev

cp -p [Link] <BI Domain Home>/config/fmwconfig/[Link]

Restart BI Services.

Perform GUID Refresh.

Validate Target EM Console to ensure roles are created and membership is assigned.

You might also like