Tuesday, March 13, 2018

OBIEE 12c using database authentication provider - addendum

In older versions of OBIEE, DB based authentication were very popular using Initialization Blocks.
Oracle does not support this sort of authentication lately.
If you insist on Database as Authentication Provider, you can check chapter 3 of BI security Guide, "Configuring a Database as the Authentication Provider". Or the second half of this RittmanMead blog here.


2 things to remember:

1. When running the libovdadapterconfig script at the end, set the dataSourceJNDIName value as the JNDI Name and not the "regular" Name. Next, give the weblogic password, when requested for AdminServer password.



2. In case you made a mistake while running the libovdadapterconfig script, running it again informs you the adapter was already created. The guideline to fixing it is at the bottom of note 2226809.1 at Oracle Support:


Note: If for any reason the adapter would need to be recreated, follow steps detailed in the Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition -> Correcting Database Adapter Errors by Deleting and Recreating the Adapter
Note: If the delete adapter command is run as per the documentation, it gives the impression that the adapter was not deleted by returning this message:

'Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root MBean.' with no further message.

 
For example:

C:\app\Middleware\Oracle_Home_122120\oracle_common\common\bin>wlst.cmd
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
wls:/offline> connect ('weblogic','Welcome1','t3://hostname.domain:9500')
Connecting to t3://hostname.domain:9500 with userid weblogic ...
Successfully connected to Admin Server "AdminServer" that belongs to domain "bi".
Warning: An insecure protocol was used to connect to the server.
To ensure on-the-wire security, the SSL port or Admin port should be used instead.
wls:/bi/serverConfig/> deleteAdapter(adapterName='MySQLGroupProvider')
Location changed to domainRuntime tree. This is a read-only tree
with DomainMBean as the root MBean.
For more help, use help('domainRuntime')
wls:/bi/domainRuntime/> exit()

However, the adapter is effectively deleted and can be confirmed in the Weblogic Administration Console.




In my case the server is localhost:

Tuesday, February 6, 2018

Oracle Analytics Cloud 18.1.3 Patch is Available

Oracle Analytics Cloud (OAC) 18.1.3 Patch is available. You can see the list of new features in the "What's New document" here.

To summarize:

A full feature Delivers for OAC similar to  OBIEE. This seems to be the final component that covers the full OBIEE functionality in OAC.Interesting that documentation describes this as OAC Enterprise and Data Lake edition option. I'm not sure what the Data Lake part can do with Delivers.
Better integration with Synopsis as one more mobile option. 
Some improvements in Service management.
For Essbase users we have direct Cube Designer install and MDX ability to run on Essbase server and have the metadata and data output results exported to saved structures on Essbase (alternative to client).

This is the list from Oracle Documentation:

Reports and Dashboards

Use agents to deliver content Create agents that deliver your analyses, dashboards, and briefing books to specific recipients and to subscribers. See Enabling Content Delivery Through Agents and Automating Business Processes Using Agents.
Set up devices and individual delivery profiles Configure one or more devices where you want alerts and content from Oracle Analytics Cloud to be delivered. Set up personal delivery profiles to suit your different needs. See Configuring Your Devices and Delivery Profile.
Manage your deliveries in one place You can manage all your deliveries from the Console, that is, email deliveries and deliveries generated by agents.
Synopsis mobile app Create and share instant analytics from data on your mobile devices. See What can I do with Oracle Analytics Cloud Synopsis?



 Service management

Configure a public storage container during service creation Share data visualizations through a public storage container. Specify the container you want to use when you set up your service. See Creating a Service.
Update the password for cloud storage
Update the credentials Oracle Analytics Cloud uses to access Oracle Cloud Infrastructure Object Storage Classic. See Managing Credentials.
Connect to EssNet over HTTP
Connect from any software using Essbase Real Time Client (RTC) over HTTP protocol without needing to open ports or perform other configuration or communication. See Connecting to EssNet over HTTP.
Update the database passwords for Essbase services
Use a script to update the database administrator password for an Essbase service. See Updating Essbase Database Credentials.




 Essbase

Install Cube Designer from the Scenarios page You can download the Cube Designer installer directly from the Scenarios page in addition to the traditional installation from within Smart View. See Installing the Smart View Cube Designer Extension in Using Oracle Analytics Cloud - Essbase.
Export MDX query output to the service
You can run MDX queries and have their metadata and data output results exported to saved structures on Essbase. This is an alternative to viewing the query output on a client. For syntax used to export an MDX query, see MDX Export Specification in Technical Reference for Oracle Analytics Cloud - Essbase.

Tuesday, January 16, 2018

Using Oracle Data Visualization for analyzing matriculation examination results in Israel - Hebrew

I used Oracle Data Visualization to do some analysis of Israeli matriculation examination results. Sorry it's all Hebrew.
The post was published here: http://www.theoracles.co.il/dv_bagrut/

Monday, December 25, 2017

OBIEE 12 with external images

In OBIEE 12 a security enhancement was made. As a result, with default installation we can't see added images based on "Image URL" (the image is empty).



 After we solve that problem we can't save the analysis with the scary note:

" Catalog object privilege validation failed for user to path XXXXXXXXX. You do not currently have sufficient privileges to save a report or dashboard page that contains HTML markup. Custom column format may contain HTML tags, only the following formats may currently be used: 'Plain text', 'Plain text (don't break spaces)'. "


For the first we should add the following 3 lines in instanceconfig.xml.
        <Security>
            <ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
            <ContentSecurityPolicy>
            <Enable>false</Enable>
            </ContentSecurityPolicy>
 

       </Security>


***** see better and secure option bellow.


For the second (saving) one more line. 
Both under the security section.


This is for version 12.2.1.3 - true value for EnableSavingContentWithHTML:
 (this option also returns the option of "Contains HTML Markup" in text object of dashboard)
         <Security>
            <ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
            <ContentSecurityPolicy>
            <Enable>false</Enable>
            </ContentSecurityPolicy>
            <EnableSavingContentWithHTML>true</EnableSavingContentWithHTML>
        </Security>

I didn't test it, but I believe this is for versions 12 under 12.2.1.3 - false value for CheckUrlFreshness:

         <Security>
            <ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
            <ContentSecurityPolicy>
            <Enable>false</Enable>
            </ContentSecurityPolicy>
            <CheckUrlFreshness>false</CheckUrlFreshness>
        </Security>
Next restart the presentation server (OBIPS)


As a result I can see images:



And the analysis can be saved.


***** a better and secure option
Following Gianni Ceresa advise, lets make it smarter. The <Enable>false<Enable> means we allow any source, and that is not very secure. It's better to allow specific sources.
For example the Pikachu picture comes from the site https://assets.pokemon.com
So I'll allow external sources only from that site. 

Instead of:

        <Security>
            <ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
            <ContentSecurityPolicy>
            <Enable>false</Enable>
            </ContentSecurityPolicy>
 

       </Security>



In ContentSecurityPolicy I will add a Directive with the value of the site.

        <Security>
            <ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
            <ContentSecurityPolicy>
                <PolicyDirectives>
                    <Directive>
                        <Name>img-src</Name>
                        <Value>https://assets.pokemon.com</Value>
                    </Directive>
                </PolicyDirectives>

            </ContentSecurityPolicy>
        </Security>

The picture that comes from URL: https://assets.pokemon.com/static2/_ui/img/chrome/external_link_bumper.png still works fine but if I try to use instead a picture of a Snorlax from the URL https://rankedboost.com/wp-content/plugins/ice/pokemon-go/Snorlax-Pokemon-Go.png it will not work:

As you might guess, it's not because OBIEE prefers Pikachu, but because I didn't allow anything from site https://rankedboost.com.
I'll add it to the Value like this:

        <Security>
            <ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
            <ContentSecurityPolicy>
                <PolicyDirectives>
                    <Directive>
                        <Name>img-src</Name>
                        <Value>https://assets.pokemon.com https://rankedboost.com</Value>
                    </Directive>
                </PolicyDirectives>

            </ContentSecurityPolicy>
        </Security>

Restart OBIPS and....


You can see a deeper dive into CSP here: https://gianniceresa.com/2016/10/google-map-in-an-obiee-12c-analysis/







Just a reminder to myself, Oracle BI12c: placing custom images in BI Server and reference using fmap from https://biapplications.wordpress.com.


Moshe, hope it helps. Best wishes for next year.