Management of the over arching system security will take place in the Security Realms area. A Security Realm is basically a configuration area to manage how WLS resources are protected. This is where you configure users, groups, and other security profiles that determine how access to applications deployed on the WLS server and the WLS administration console itself is achieved. More than one Security Realm can exist, but only one can be used as the active realm from which the security configuration for the application server is sourced. Thus, during the Oracle BI installation configuration, only one Security Realm, myrealm, is created. It is within this realm that we will configure and manage authentication providers such as a company's LDAP directory and so on.
Tip
Note that WLS itself contains an Embedded LDAP directory. This is also referred to as the DefaultAuthenticator. It follows the open standard LDAP v3 protocol, and could indeed support custom build directories for a small organization to host users (10,000 or fewer) and groups. Although most organizations use a more enterprise LDAP standard such as those offered by Microsoft or Oracle, it is always good to know the capabilities of a tool.
Later in this chapter, we will conduct a step-by-step exercise in assigning an enterprise LDAP directory - Microsoft Active Directory (MSAD) - as a WLS identity provider to show how an organization's core network-identity authentication repository can be used with the Oracle BI Fusion Middleware architecture. Let's take a look at navigating through the Security Realm area to understand where the key points of activity reside:
- From the left-hand-pane navigation menu, expand bi > Security Realms.
- Click on the solo Security Realm, myrealm, under the Name column in the Realms table list.
- The default landing sub-tab is Configuration > General. This area highlights a few of the global Security Realm settings, which can be left alone for a basic Oracle BI configuration.
- Click on the Users and Groups main tab, then click the Users sub-tab.
- This will show the WLS-embedded LDAP server users. There should, by default, be three users established during the installation configuration: weblogic (biadmin, or whatever you decided to call this administrative user during the installation), OracleSystemUser, and LCMUser:
- There is no longer a default BISystemUser, which is a change from the previous Oracle BI 11g version
- Additional users can be added to this list at any time by clicking the New button and completing the resulting Add new user form:
- Click on the Groups sub-tab.
Similar to the users established by default within the embedded WLS LDAP directory, several groups are also established. The default installation propagates three core Oracle BI groups: BIAdministrators, BIAuthors, and BIConsumers.
- Click on the Providers main tab. Ensure the Authentication sub-tab is selected as the default. If not, click it.
You should be able to see the three default identity providers, Trust Service Identity Asserter, DefaultAuthenticator, and DefaultIdentityAsserter. These default to the WLS installation. It is here under this Providers > Authentication sub-tab where you may configure an
LDAPdirectory, described later in this chapter:
- Click on the main Migration tab.
Here you can see that the possibility to import and export security-provider information is available. This is good to know when copying some security credentials from one server environment to another. Security migrations in Oracle BI 12 are emphasized by the documentation as requiring to be conducted using the new lifecycle management tools in this version and not previous version techniques.