Thursday, 20 March 2014

OBIEE 11g – Important Files for troubleshooting Authentication or Security Issues

This blog is an attempt to list down the process of creating clean set of logs which would simplify the process of diagnosing authentication or security issues.
Log and Configuration Files to Collect

For the majority of BI security issues, a clean set of following log and configuration files for diagnosing the issue

Domain Configuration files:

MW_Home\user_projects\domains\bifoundation_domain\config\config.xml - Always Required
MW_Home\user_projects\domains\bifoundation_domain\config\fmwconfig\jps-config.xml - Always Required
MW_Home\user_projects\domains\bifoundation_domain\config\fmwconfig\ovd\default\adapters.os_xml - Required if using multiple Authenticators (virtualize=true)

Log files from the Managed Server(s)

The following files are always required unless using a Simple Install

MW_Home\user_projects\domains\bifoundation_domain\servers\bi_servern\logs\bi_servern.out - note that this file is not created by default if you start the Managed Server from a command prompt/shell. Instead, you should start the Managed Server from the Weblogic Console.
MW_Home\user_projects\domains\bifoundation_domain\servers\bi_servern\logs\bi_servern.log
MW_Home\user_projects\domains\bifoundation_domain\servers\bi_servern\logs\biservern-diagnostic.log

Log files from the AdminServer

The following files are always required when using a Simple Install. These logs are sometimes useful for an Enterprise /Software Only Install

MW_Home\user_projects\domains\bifoundation_domain\servers\AdminServer\logs\AdminServer.log
MW_Home\user_projects\domains\bifoundation_domain\servers\AdminServer\logs\AdminServer-diagnostic.log
AdminServer.out – Make sure that following commands are used to create AdminServer.out file

e.g. windows: C:\MW_Home\user_projects\domains\bifoundation_domain\bin\startWebLogic.cmd
1>>C:\ade\BIGA1\user_projects\domains\bifoundation_domain\servers\AdminServer\logs\admin.out 2>&1
e.g. Linux: C:\MW_Home\user_projects\domains\bifoundation_domain\bin\startWebLogic.cmd
1>/MW_Home/user_projects/domains/bifoundation_domain/servers/AdminServer/logs/admin.out 2>&1

Oracle BI Configuration Files

MW_Home\instances\instance1\config\OracleBIServerComponent\coreapplication_obis1\NQSConfig.INI
MW_Home\instances\instance1\config\OracleBIPresentationServicesComponent\coreapplication_obips1\instanceconfig.xml .
MW_Home1\Oracle_BI1\bifoundation\web\display\authenticationschemas.xml

Oracle BI Server and Presentation Services Log Files
MW_Home\\instances\instance1\diagnostics\logs\OracleBIServerComponent\coreapplication_obis1\nqserver.log
MW_Home\\instances\instance1\diagnostics\logs\OracleBIPresentationServicesComponent\coreapplication_obips1\saw.log

Log Collection Process

It is important to include all the relevant logging including the standard out and standard error which would normally only be visible in the console that started the Web logic server. The logs should be created using the appropriate logging levels to collect necessary information for diagnosis of the issue.

The following process should be followed to generate a clean set of logs and configuration files for diagnosing security issues.

  • Enable Web Logic logging at appropriate level
  • Enable FMW logging via EM and persist changes using the settings
  • Stop Web Logic and BI processes
  • Enable additional logging for Oracle BI Presentation Services
  • Move or delete existing log files so that the clean logs start from the time the issue is being re-produced
  • Re-start the Weblogic and BI Processes
  • Re-produce the error
  • Stop Weblogic and BI processes
  • Log Levels Setting for Re-production of Issues
  • Following setting are recommended for log level settings to get meaningful information via log files which would help in process of diagnosis and troubleshooting.

Log Configuration for Web Logic Console

Set DebugSecurityAtn – Enabled

WLS Console > Environment > Servers > AdminServer > Choose Debug tag > Expand ‘weblogic’  under 'Debug Scopes and Attributes' > Expand 'security' -> expand 'atn' -> check the 'DebugSecurityAtn' and click 'enable' button

Log Configuration for Enterprise Manager

Login to EM> Web Logic Domain > bifoundation_domain > bi_cluster > bi_server1 (or Navigate to Weblogic Domain > bifoundation_domain > AdminServer) > select Logs > Log Configuration> In the Log Levels tab, navigate to Root Logger > oracle > oracle.bi
- Select the loggers listed below and set logging level to TRACE:32


Logger Names:
1.oracle.bi.security - to TRACE:32
2.oracle.idm.userroleapi - to TRACE:32
For multiple Authenticators (i.e. if they have set virtualize=true) please also set
oracle.ods to TRACE: 32

Log Configuration for Oracle BI Presentation Services

For SSO issues which uses headers, cookies and tokens. Additional Instanceconfig.xml settings:

<FilterRecord writerClassGroup="File" disableCentralControl="true"path="saw.httpserver.request" information="16" warning="32" error="32" trace="32"incident_error="32"/>
<FilterRecord writerClassGroup="File" disableCentralControl="true" path="saw.httpserver.response" information="16" warning="32" error="32" trace="32" incident_error="32"/>

Source Document 
Please refer following source document from Oracle Support.
What Files To Provide To Support When Encountering Authentication Or Security Issues in OBIEE 11g (Doc ID 1434514.1)

No comments:

Post a Comment