Sunday 31 May 2015

EPM workspace integration with OBIEE 11.1.1.9

It wasn't so long ago I wrote a post about integrating EPM 11.1.2.3 workspace with OBIEE 11.1.1.7, now with the recent release of OBIEE 11.1.1.9 I have to keep up the tradition and test out if the integration is still working, if I don’t then I will just get asked the question so I thought I would get there before it gets asked.

Once again I am not going to go into too much detail because I have covered it all before and you can read about it in the following blogs:

OBIEE 11.1.1.7 integration with EPM 11.1.2.2

OBIEE 11.1.1.7 integration with EPM 11.1.2.3

Issues with OBIEE/Workspace when using SQL Server

EPM 11.1.2.4 workspace integration with OBIEE

For the integration I am going using a clean install of OBIEE 11.1.1.9 with a EPM 11.1.2.4 environment and using Oracle as the database repository.

The Oracle OBIEE documentation covering the integration has not changed from 11.1.1.7 so I am assume the process much be the same and here is a high level walk through of the steps, if you want further information check out my previous blogs.

Configure same MSAD configuration in EPM Shared Services and OBIEE WebLogic Admin Server

I didn't think I would get stuck at the first step as I have never head issues before but I got stalled at hooking up OBIEE to the AD, it wasn't a problem with the configuration as  both EPM and OBIEE were configured exactly the same as in previous versions.


There were no problems returning the users in Shared services or logging in with an AD user.


Both the WebLogic Admin console and Enterprise Manager were returning the AD users and I could log into both using an AD user.

The problem was logging into OBIEE with an AD user, it would just fail and in the logs complain about the user not being found in the identity store.

After wasting too much time I noticed the following in the issues list in the documentation which I wasn’t expecting:

1.4.38 Authentication Fails Against Third Party LDAP When Virtualize is Set to True

Impacted Releases: 11.1.1.9

Platforms: All

When using Microsoft Active Directory as the Identity Store and also using the virtualize=true option, users are unable to login to Oracle Business Intelligence. This relates to Bug 20188679 - authentication fails against 3rd party ldap when virtualize=true set. Customers should check the availability of a patch for this issue on their installation platform before continuing to upgrade to 11.1.1.9.0.

This was exactly my issue and I would say it is quite a serious bug because it is so widely used.

At the time I first tested this out there was no patch available so I used a workaround but now the patch is available.


Fortunately applying the patch resolved the issue so on with the next steps.

Extract regSyncUtil_OBIEE-TO-EPM.zip 


Update reg.properties with version from EPM environment 




Copy css.jar, interop-sdk.jar and registry-api.jar from 11.1.2.4 EPM environment to equivalent OBIEE environment locations

I questioned whether this would be still required, I thought the files in OBIEE 11.1.1.9 might been updated to match EPM 11.1.2.4.

Not so lucky, looking at the version of the files in the OBIEE instance highlights this:

css.jar



interop-sdk.jar



registry-api.jar



The files have not been updated since EPM 11.1.2.2, not sure why they have not been updated but I suppose it depends on which version of workspace you intend integrating with.

Well it answers the question, you still need to copy the files across.

On to the next step.

Run utility to share encryption key between EPM and OBIEE


No problems there.

Remove applicationID from OBIEE EPM registry

Use  the EPM system registry tool to do this.



Registry OBIEE in workspace by updating registration.properties and running HSSRegistration register

The properties file requires updating with information to the EPM instance, run the utility to register.


Run EPM configure web server to add in OBIEE proxy information.


Proxy information added to the OHS configuration file.



At this point the OBIEE menus should be available in workspace and provisioning available in Shared Services, please note that the provisioning is only to provide access to users to the OBIEE menus in workspace and is totally separate to OBIEE provisioning.

Enable SSO authentication using fusion middleware control


Enable SSO, apply and activate changes.


Update instanceconfig.xml to add the HyperionCSS authentication schema



Update bridgeconfig.properties to enable Hyperion CSS authentication.



Restart EPM and OBIEE, provision AD user in Shared Services with OBIEE roles.


Tested logging into workspace with newly provisioned user


Good sign the OBIEE menus were available.


No problems then the single sign is working as expected.

If you are intending to use Essbase, HFM or Planning as data sources in OBIEE and want to use single sign on then set SSO in the connection pools.

The following Java system property requires adding to the setDomainEnv script


Until next time…

4 comments:

  1. Informative as always and appreciate all the posts. Have you tried this with OBIEE 12c yet. I'm working through it currently and have AD hooked up to webLogic but can't seem to get into OBIEE with any MSAD credentials. We might be without a patch for a bit so was wondering what your work around was? Thanks - JM

    ReplyDelete
  2. Hi Jon,
    I don't see any details in the OBIEE 12c documentation about integrating with workspace, the sections have been removed, maybe it is not supported anymore due to the amount of changes.

    Cheers

    John

    ReplyDelete
  3. Any idea what the settings for the SSO using Custom in Weblogic EM 11.1.1.9. This version is now requiring logon and auto logon URL. THen it requires at least the sso.provider.class

    Thanks
    Rob

    ReplyDelete
  4. Hey John,

    Thanks for the valuable insight, as always! Any idea if this integration will still work with 12c? I saw your response above but since that was 2 years ago I was wondering if you'd seen any changes that would enable it.

    ReplyDelete

Note: only a member of this blog may post a comment.