Let’s talk about Oracle’s Secure Enterprise Search (SES) 11g

Introduction

Since the acquisition of Sun few years ago, Oracle is now has more things to offer (especially in the hardware side). From a company of Software Products, Oracle is now a company with lot of hardware stuff as well. Oracle’s Exadata and Exalogic are some of the top-tier hardware offerings that we all know. They are based on Sun SPARC hardware. There are lot of things to talk about… However, in this post, I wanted to explore something less talked about.

If you are an Oracle Shop running Enterprise Applications from Oracle, then you may want to look for Enterprise Search Application from Oracle to provide search capabilities for your intranet applications (especially for content management systems). I came to know about this recently when I was reading the Release Value Propositions for Peopletools 8.52. Then, I realized that this product is used in many other products from Oracle.

Functionality of SES

Secure Enterprise Search (SES) 11g (11.1.2) is a product from Oracle for Search Operations in enterprise systems.  Also, Oracle’s Secure Enterprise Search (SES) comes with Oracle Database 11g Enterprise Edition – for use with limited license with Oracle database 11g. SES 11g requires Weblogic Application Server for the functionality (so, obviously it uses lot of Java for sure).

Oracle SES can crawl, search and index for several source types. Some of the content types that are built-in for SES are web content, files, emails, database tables and other SES sources. Also, using connectors you can use many of the content management products for search purposes.

Here are some of the Oracle products that uses/will use SES as part of providing search operations:

• Proposed Peopletools 8.52
• Fusion Applications
• Oracle iAS/Portal
• EBS
• Siebel
• Web Center etc

My personal opinion is, installing something is the simple thing to do with any of the Oracle Products that I know of. If you can understand some of the basic concepts behind Oracle Installers, then you are all set with the installation, nothing complicated here – installation is easy. During the SES installation, you need to make sure the port numbers and the data storage locations are correctly setup. Configuring a product for a specific implementation is something more work to do, some conceptual knowledge will be required at this time.

Most of the time, contents are not public for SES to search. So the search engine should provide crawling and indexing functions for private content. So, a kerberos based authentication or LDAP based authentication can be used in SES as an authentication plug-ins.

SES Scheduler is used to run jobs for crawling and related purposes. Also, we can write a custom Scheduled Tasks for SES using Search API.

If you have some basic understanding of the search engine concepts, then I think SES Administration Tool is simple and easy to understand.

SES Connectors

For searching, there are variety of content available from products from different vendors. SES can perform search and index operations in variety of other target systems using SES Connectors. Obviously, in heterogeneous IT environments, the content is not available in one single source or systems. So, there are different connectors available. Oracle SES 11g connectors are delivered free with the SES product for:

• Microsoft Exchange
• NTFS File Systems
• JDBC Connections to Oracle and MS SQL Server
• Microsoft Sharepoint
• Oracle Portal 9/10 etc.

There are other SES Connectors available for different products, especially for content management systems. However it looks like they need a separate license to be purchased. You can check the available SES Connectors here.

SES and Oracle products

I checked few of the products that are using/planning to use SES. There are other Oracle Products too. This is only a short list that I know of:

Peopletools 8.52

In the next release of Peoplesoft’s Peopletools (expected in Q3/Q4 2011), SES framework will be used in the Peoplesoft Systems. Peoplesoft Applications already use Verity Software for the Search Operations. We need to wait until Peopletools 8.52 release to see what things are going to change.

To know more about PeopleSoft Application Search in next release of Peopletools, you can check here.

Fusion Middleware and Applications

Web Center uses SES as Search Provider. Also, Fusion Application uses SES as the default search Provider.

Oracle iAS/Portal

Going forward, SES will replace the Oracle’s earlier UltraSearch as the Search Provider in newer versions of Portal.

Oracle EBS

Latest versions of EBS support SES. You may want to check the system certifications for SES on EBS in My Oracle Support.

So, thats it for now. Lets meet you in another post. Until then

Read More about  Oracle’s Secure Enterprise Search (SES) 11g

(Some) Internals of Oracle Identity Manager Access Policies

Introduction

Many enterprises are considering (or already deployed) an identity management solution either for effective IT automation to reduce costs and/or for compliance purposes. Oracle Identity Manager is part of the Oracle’s identity and Access Management (IAM) solution. It provides functionalities such as, automatic user provisioning, compliance reporting, etc.

In my personal opinion, Oracle Identity Manager (OIM) is a wonderful product from Oracle. Many people don’t understand the basic concepts behind how OIM works. Worst thing is, they complain about the vendor product for their own failures in understanding basic concepts.

If you are planning to work with Oracle Identity Manager, then get ready for learning a lot of new things. OIM requires knowledge and you should be familiar with following:

• LDAP Directory – especially Oracle Internet Directory or Oracle Directory Server (formerly Sun/Iplanet Directory)
• Basic understanding of XML
• Programming in Java
• Concepts of Microsoft Active Directory and Microsoft Exchange (if you are planning to integrate them)
• Most importantly, self-initiative and interest to research yourself for things you can’t find in “google”.

Oracle Identity Manager stores all the user information, metadata information, audit information, and everything related to data in the Database (similar to Oracle Internet Directory – OID). There are two supported database environments for OIM to store data. It can be:

• Oracle Database Server
• Microsoft SQL Server

The second major component of OIM is the connectors. OIM connectors provide functionality for connecting to various systems across an enterprise. Good thing about OIM is, there are many connectors available. Also, Oracle is standardizing some of the connector components to get the same feeling across all the connectors. So, if you can understand few connectors, then it will be easier for you to work with the remaining connectors.

Latest OIM connectors can be found here – You can download it as well.

OIM Connector Certification (supported systems for OIM for user provisioning) can be found here.

OIM Connector documentation can be found here.

Basic OIM Concepts

Before we talk about Access Policies, we need to understand few other OIM Concepts. OIM has various objects that work together to achieve the necessary functionality. In an ideal way, OIM should manage the complete lifecycle of user accounts in an enterprise – using automatic ways with no manual intervention during entire lifecycle of user creation, modification and deletion phases.

When a user is created in OIM, there will be corresponding entries available in USR table. USR table has many fields delivered OOTB (OOTB – Out of the box). However for some of the enterprises, this may not be sufficient. We can define additional fields as UDFs (User Defined Fields).

In OIM, almost everything revolves around the user account (I think that is what expected from an identity provisioning software such as OIM). User account is the central piece of data here.

In OIM, Users will be provisioned or de-provisioned with Resources. Resources are a target system, such as, Oracle Internet Directory or Active Directory.

What are OIM Access Policies?

There are three types of objects required to perform automatic provisioning based on policies. When you use Access Policies for auto-provisioning, then it is called as “Policy Based Provisioning”. The main objects required for policy based provisioning are:

• Rules
• Groups
• Access Policies

We can use Rules for placing users to some specific OIM Groups. Once a user is a member of a group, then, Access policies can be used to perform policy-based provisioning in OIM. That’s why we need to understand the dependencies between Rules, Groups and Access Policies.

Rules get evaluated whenever an update is made to the user attributes (such as a password change, email address change etc). Also, we can use the OIM API updateUser() function to re-evaluate rules.

In Design Console, you can use “Policy History” form to view the details of the access policies and resources related to users.

Starting from OIM 9.1.0.2 and later versions (in Fusion Middleware Identity and Access Management 11.1.1.x too), there is a scheduled task called “Evaluate User Policies” delivered OOTB. This task will be useful if you want to provision users by validating all the rules, then automatically adding/removing groups, finally provisioning/de-provisioning resources by access policies.

Some Internals of working

POL table holds details about the Access Policies in OIM database. There are other tables related to OIM Access Policies as well. Some of the interesting ones are:

• POP – data about parent table in Access Policies
• POC – data about child policies in Access Policies
• POG – mapping between access policies and OIM groups (based on pol_key and ugp_key)
• POF – Field Values in Access Policies

In USR Table, there is a field called “USR_POLICY_UPDATE”. I think the values can be null or 1. This field is used when “Evaluate user policies” task is run for the evaluate criteria. This field will determine whether the access policies will be reevaluated next time.

User Policy Profile tables – UPP and UPD tables are important user related tables that stores details about access policies for a user and relevant details. These tables normally referred when “Policy History” form is being used for a user in OIM Design Console.

There are two other history tables UPH and UHD. They are history tables for the corresponding User Policy Profile Tables UPP and UPD.

OIU table has two columns, OIU_POLICY_BASED and OIU_POLICY_REVOKE. Based on my understanding, these two columns are set based on the resources provisioned access policy and “Revoke if no longer applies” setting.

Process form tables (UD_ tables) will contain POL_KEY column populated with Access policy. This POL_KEY column is applicable for the OIM Child tables as well.

In OIM, updating the underlying tables are not recommended and not supported by Oracle. These tables will be used when you investigate to try to find out scenarios such as, why a user was not revoked automatically or why she was not provisioned to a resource automatically.

A Sample Implementation

I was thinking of a scenario to explain the usage of access policies for automatic provisioning of Resources in OIM. You can consider an enterprise trying to move to OIM. They have some of the rules based on which user account will be created or modified or deleted. I just have these few rules as an example (in real world, there can be many up to 100+ or even 200+ rules).

1. All users in HR Department will be part of the AD Group “HR Department”
2. All users with “IT Operations” should be having a unix account server in “exadata-200”

So, in first case, you can define an OIM Rule, that will place the users with “HR Department” value in an OIM Group “Group_HR_Department”. Then whenever user is part of that OIM Group, then the user can be provisioned to “HR Department” AD Group automatically.

In the second case, we can check for the department with the Rules, place the user in a group – then we can define an access policy to provision user account to “exadata-200” automatically.

Closing note

Access Policies are just one of the features of OIM. There are many other features there in OIM. Implementing OIM is easy if you understand these underlying basic concepts. Also, understanding about the target systems will be useful when investigating issues during the implementation.

As in every project, collecting the requirements is important. In OIM implementations, this is really important, more than that, documenting the requirements is important. Also, sufficient amount of testing is another consideration for OIM implementation projects. I will cover the logistic details of an OIM implementation in another post.

As the saying goes “The more you know, the more you know what you don’t know”. This is true for OIM (for so many other things in IT too). There are still some things I don’t know about OIM Access Policies. I am just working with OIM on what I know now (and still learning).  J

Okay. I hope that is it for this post. We will meet in another post with more interesting details about OIM. Until then

Read More about Oracle Identity Manager 

Business Objects FRS Pruning

Hello Techies,

This is the continuation of Business Objects File Repository Servers Blog and we are going to see how to optimise the File Repository Servers by FRS pruning.

Have you ever got the chance to see how a Crystal or WebI document or Instance stored internally in the File System? Here it is.

The document will be saved internally in the file system with in one or more folders named based on random name generation.
What will happen if the report or the Instance deleted?

The report or the Instance alone will be deleted and leaving the temporary folders as it is. As a result of this over the period of time, there will be thousands of folders in the FRS and will be a intricacy for the Administrator when he goes for the FRS Backup. The Backup process will be very time consuming as well as occupy more space and finally the FRS will be inefficient.

How to get rid of this?

The “-Prune” command, added at the end of the command line of the File repository servers will be handy at this moment.

Working with FRS Pruning and Tracing

-Prune command, added at the end of the command line of servers triggers the server to go through the ‘Input’ or ‘Output’ folders in the internal ‘Filestore’ folder of Business Objects Enterprise to clean up all the empty directories.

-Trace command, added at the end of the command lines of the servers logs the activity of that specific server in the ‘Logging’ folder of the BOE installation directory.

We need to periodically delete the empty FRS directories to cleanup the disk but not to be manually. Instead the FRS server should be started with the -Prune command line switch. When this switch is used, the FRS servers’ status will remain ‘Starting’ till the deletion is done. Once deletion is done, the servers will stop. The -Prune switch will have to be removed manually to allow the servers to start normally.

Working with FRS Pruning and Tracing

Add -Trace and -Prune

1. Stop File Servers (both IFRS and OFRS) in CCM (XIR2) or in CMC (XI 3.x).

2. Add -Prune command at the end of the line to FRS (Input and Output) and also –Trace Command at the end of the line to check it is cleaning up files and folders that are empty.

3. Start the servers and Monitor the pruning process, you should gain more hard disk space.

Remove -Trace and -Prune

1. Stop the Servers and remove -trace and -prune commands from the command line Parameters of FRS.

2. Start the Servers again normally.

Viewing Log files

You can find the log files in the below location (for XI 3.x)

C:\Program Files\Business Objects\BusinessObjects Enterprise 12.0\Logging

Points to remember

• After the Pruning process if any empty folders still exists, they may be used by BO to keep for its housekeeping process.

• Don’t leave the prune option enabled even after the prune completed. Once pruning completed successfully the FRS will be stopped. We have to re-modify the command line by removing –Prune and -Trace and Server has to be started manually.

• Pruning process does not clean-up any CMS object that lost the FRS files that they need to point to.

Please Note -Prune is an undocumented feature in Business Objects.

We will see more about the Business Objects Servers Tuning in the upcoming blogs.

Happy Blogging!!  Keep reading!!

Windows AD authentication for Business Objects using Kerberos – Part II

This is our continuation of our SSO configuration from starting from SIA configuration.

4.     Configuring the Server Intelligence Agent to use the service account

In order to support Kerberos, Server Intelligence Agent must be configured in CCM to log on as the service account:

To configure a Server Intelligence Agent

1)  Start the CCM.

2)  Stop the Server Intelligence Agent.

3)  Double-click the Server Intelligence Agent and the Properties dialog box is displayed.

4)  On the Properties tab:

• In the Log On As area, deselect the System Account check box.
• Enter the user name and password for the service account.
• Click Apply, and click OK.

5)       Start the server again.

5.     Configure the AD plug-in

In order to support Kerberos, we have to configure the Windows AD security plug-in the CMC to use Kerberos authentication.

To configure the Windows AD security plug-in for Kerberos

• Go to the Authentication management area of the CMC and Click the Windows AD tab.

• Ensure that the Windows Active Directory Authentication is enabled check box is selected.
• In the Windows AD Configuration Summary area of the page, click the link beside AD Administration Name.
• Enter the credentials that have read access to Active Directory in the Name and Password fields.

Note:

Use the format Domain\Account in the Name field LIKE NA\ BOLab-Admin.

• Enter the default domain in the Default AD Domain field.

Note:

Use FQDN format and enter the domain in uppercase, here it is NA.HEXAWARE.COM

• In the Mapped AD Member Group area, enter the name of an AD group whose users require access to Business Objects Enterprise, and then click Add.

• In the Authentication Options area, select Use Kerberos authentication.
• In the Service Principal Name field, enter the account and domain of the service account or the SPN mapping to the service account which was created

In this case, BOBJCentralMS/TESTSERVER.NA.HEXAWARE.COM.

• Click Update

6.     Configure Tomcat web.xml file

Modify the web.config file to ensure Windows authentication is enabled.

To configure InfoView for AD authentication mode, configure the web.config file in the

\Tomcat55\webapps\InfoViewApp\WEB-INF directory.

Edit the web.xml. Then, change the authentication default value to secWinAD.

7.     Configure the Krb5AuthLoginModule and krb5.ini

Create a folder in C:\WINNT to store the following two files:

1. krb5.ini
2. bscLogin.conf

The contents of the krb5.ini and the bscLogin.conf were the following:

Note: 1. This should be done on all computers that run application servers.

2.  KDC is the Domain Controller(s) of the particular domain.

8.     Configure the Tomcat Java option

Launch the Tomcat Configuration program & add the following Java command in the Java Optionsof the Java tab.

-Djava.security.auth.login.config=C:\WINNT\bscLogin.conf

-Djava.security.krb5.conf= C:\WINNT \krb5.ini

Hope this will be useful for Kerberos based windows AD authentication. Feel free to get back to me in case of any issues. I am privileged to helping you all. Happy Blogging!

Windows AD authentication for Business Objects using Kerberos

Hi All,

Hope you continue to read our Series of blogs. Let me discuss something about Single Sign-on implementation in Business Objects in this blog.

Configuring Windows Active Directory SSO with the SAP BusinessObjects XI 3.1 is one of the challenges for a Business Objects Administrator. If you go with java based BO deployment, utmost care should be taken as Java is case sensitive.

What is Single sign-on?

Single sign-on (SSO) is a user authentication process that permits a user to enter one name and password to access multiple applications. This authenticates the user for all the applications they have been given rights to and eliminates further prompts.

Role of Kerberos in SSO

Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography where a user authenticates to an authentication server that creates a ticket. This ticket is actually sent to the application which can recognize the ticket and the user is granted access.

This blog refers

TESTSERVER - BusinessObjects server installed with Windows 2008 server. The version is XI 3.1 SP3

ADSERVER – Active Directory server installed with Windows 2003 server. Its Domain Functional Level is 2003.

BOLAB-ADMIN – Service Account used to run Business Objects Service.

Steps for configuring Windows AD authentication

Below is the general overview of the steps, which are required to configure the Business objects windows authentication using Kerberos.

• Setting up a service account
• Configure the service account rights
• Register Service Principle Name (SPN)
• Configuring the Server Intelligence Agent to use the service account
• Configure the AD plug-in
• Configure Tomcat web.xml file
• Configure the Krb5AuthLoginModule and krb5.ini
• Configure the Tomcat Java option

Setting up a service account

To configure Business Objects Enterprise using Kerberos and Windows AD authentication, we require a service account which should be a domain account that has been trusted for delegation. We can either use an existing domain account or create a new domain account. The service account will be used to run the Business Objects Enterprise servers.

Setting up a service account with delegation on a Windows 2003 Domain

• Create an account on the domain controller or use an existing account.
• Right-click on the user accounts, then select Properties.
• Click the Delegation tab.
  • Select the Trust this user for delegation to any service(Kerberos Only

1.     Configure the service account rights

In order to support the Active Directory authentication, you must grant the service account the right to act as part of the operating system and log on as a service. This must be done on each machine running the Server Intelligence Agent Service.

To configure this

1. Click Start -> Administrative Tools -> Local Security Policy

2. Then Local Policies and then click User Rights Assignment.

3. Double-click Act as part of the operating system and click Add User or Group button.

4. Add the user account that has been trusted for delegation and clicked OK.

5. Double-click Logon as service and click Add and click Add User or Group button.

6. Add the user account that has been trusted for delegation and clicked OK.

In order to support Kerberos, we must grant the service account the right to act as part of the operating system. This must be done on each machine running the below servers:

• CMS
• Page Server
• Report Application Server
• Web Intelligence Report Server

Adding the Service account to the Administrators Group

• On the desired machine, right-click My Computer and then click Manage.
• Go to Configuration > Local Users and Groups > Groups.
• Right-click Administrators and then click Add to Group
• Click Add… and enter the logon name of the service account.
• Click Check Names to ensure the account resolves.
• Click Ok and then click OK again.
• Repeat these steps for each Business Objects server that has to be configured.

2.     Register Service Principle Name (SPN)

If you are deploying Business Objects Services in a network that uses the Kerberos protocol for mutual authentication, you must create a Service Principal Name (SPN) for the Business Objects services if you configure it to run as a domain user account. The SETSPN utility is a program that allows managing the Service Principal Name (SPN) for service accounts in Active Directory.

• Open a command prompt and enter this command:

SETSPN.exe –A BOBJCentralMS/HOSTNAME serviceaccount

Replace HOSTNAME with the fully qualified domain name of the machine running the CMS service, for example Testserver.NA.HEXAWARE.COM. Replace service account with the name of the service account that runs the CMS service. In this case it is BOLab-Admin.

SETSPN.exe –A BOBJCentralMS/TESTSERVER.NA.HEXAWARE.COM BOLab-Admin

• Once run, we should receive a message similar to the below:

Registering ServicePrincipalNames for CN=ServiceCMS, CN=Users, DC=DOMAIN, DC=COM BOBJCentralMS/HOSTNAME.DOMAIN.COM Updated object

To get a listing of what is currently registered for the account.

SETSPN.exe –L BOLab-Admin

I will discuss more about the subsequent steps in the upcoming blog.

Read More about  Windows AD Authentication