Security Issues after Patching Oracle BI Publisher 11.1.1.9.0

posted on 10 Dec 2018 by in BI Publisher

Security Issues after Patching Oracle BI Publisher 11.1.1.9.0

As all know, patching process is not a big deal in most of the cases, but sometimes it is like "pain in the ass". As soon as starting dealing with BI Publisher, I faced issues which want to share.

I have discovered that after patching the BIP, security losts its permissions. So, let's see how to fix it! :)

First will show the patching process which for BI 11 is standard:

1. Log to the server, where BI is running with the correct user. In our case user is 'weblogic'.
Export your Oracle Home and check the inventory:

export ORACLE_HOME=/opt/oracle/BIPublisher11g/Oracle_BI1
$ORACLE_HOME/OPatch/opatch lsinv

2. Upload the zip file with the patch p28609078 , unzip it and change directory to 28609078

In this directory, you can find the readme.txt, where all steps are described.

You have to check that OPatch version to be 11.1.0.8.2 or higher.

3. As pre-patch step you have to stop the running servers from the admin console of the WebLogic. Log to the WebLogic Administration Console and stop the managed server and AdminServer.

http://IP.Address:Port/console

4. After all of the above is checked and prepared, we can proceed with applying the patch:

[weblogic@wl-server 28609078]$ $ORACLE_HOME/OPatch/opatch apply

Oracle Interim Patch Installer version 11.1.0.10.3
Copyright (c) 2013, Oracle Corporation. All rights reserved.

Oracle Home : /opt/oracle/BIPublisher11g/Oracle_BI1
Central Inventory : /opt/oracle/oraInventory
from : /opt/oracle/BIPublisher11g/Oracle_BI1/oraInst.loc
OPatch version : 11.1.0.10.3
OUI version : 11.1.0.11.0
Log file location : /opt/oracle/BIPublisher11g/Oracle_BI1/cfgtoollogs/opatch/28609078_Nov_09_2018_07_42_42/apply2018-11-09_07-42-42AM_1.log

OPatch detects the Middleware Home as "/opt/oracle/BIPublisher11g"

Applying interim patch '28609078' to OH '/opt/oracle/BIPublisher11g/Oracle_BI1'
Verifying environment and performing prerequisite checks...
All checks passed.

Please shutdown Oracle instances running out of this ORACLE_HOME on the local system.
(Oracle Home = '/opt/oracle/BIPublisher11g/Oracle_BI1')

Is the local system ready for patching? [y|n]
y
User Responded with: Y
Backing up files...

Patching component oracle.bi.xdo, 11.1.1.9.0...

Verifying the update...
Patch 28609078 successfully applied
Log file location: /opt/oracle/BIPublisher11g/Oracle_BI1/cfgtoollogs/opatch/28609078_Nov_09_2018_07_42_42/apply2018-11-09_07-42-42AM_1.log

OPatch succeeded.

Now we are going to start Admin Server and managed server. Firt of all set the domain environemnt, start NodeManager and start WebLogic Scripting Tool (wlst):

. /opt/oracle/BIPublisher11g/user_projects/domains/bifoundation_domain/bin/setDomainEnv.sh

nohup /opt/oracle/BIPublisher11g/wlserver_10.3/server/bin/startNodeManager.sh &

/opt/oracle/BIPublisher11g/oracle_common/common/bin/wlst.sh

Connect to the NodeManager and start AdminServer:

nmConnect('weblogic','weblogic1', host='localhost', port=5556, domainName='bifoundation_domain', domainDir='/opt/oracle/BIPublisher11g/user_projects/domains/bifoundation_domain', nmType='plain')
nmStart('AdminServer')

Now we can log in to the Administration Console http://IP.Address:Port/console and start from there Managed Node. After starting Managed Server we can see the below error in the log file of bipublisher.log
which is located here:

---- /opt/oracle/BIPublisher11g/user_projects/domains/bifoundation_domain/servers/bi_server1/logs/bipublisher/bipublisher.log

java.security.AccessControlException: access denied (oracle.security.jps.service.policystore.PolicyStoreAccessPermission
Context:APPLICATION Context Name:obi Admin Resource:APPLICATION_ROLE Actions:view)

This error is related to missing permissions in System Policies. You can access http://IP.Address:Port/xmlpserver but you are not able to open reports. In order to fix this issue, you have to log in to the Enterprise Manager: http://IP.Address:Port/em
Right click on the domain which in our case is bifoundation_domain -> Security -> System Policies

On type choose Codebase, Name -> Includes -> bipublisher -> search. Then click on create or create like from one of the existing and add:

file:/opt/oracle/BIPublisher11g/user_projects/domains/bifoundation_domain/servers/bi_server1/tmp/_WL_user/-

When you mark the file that just created below you will find the window below with Permission for Codebase. For all of the Resource Names, the Permission Actions should be with * for all. Only the last one can be set to read as
it is shown on the above picture. You can make that changes when click on the codebase that you have just added and click on edit.

When the changes are applied you can have problems with accessing http://IP.Address:Port/xmlpserver/servlet/catalog or http://IP.Address:Port/xmlpserver/servlet/admin

The problem might be related with browser caching, so you have to clear your browser cached data and try to open it again. The issue will be fixed.

I can give you another hint if you cannot log in or access xmlpserver is to remove tmp anc cache folders from the OS which are located here:

/opt/oracle/BIPublisher11g/user_projects/domains/bifoundation_domain/servers/bi_server1

First, stop your BI managed server, remove both folders or rename them and start again the managed server.

It is good to know the above things for cached and tmp data, because they are not so big deal, but if you do not know for them, they can lost your time for nothing.

Hope that you have enjoyed this post. :)

1 comment

Comment from: kkovachki Member

hmm, this is totally different post, its look like that to be Oracle DBA is not only database but as well other challenges like Oracle BI :)
This is very useful post due to the fact that in order to consider adding here you maybe you have spend a lot of time.
this is great for the community
#Oracle #OracleBI #BI #DBA

Form is loading...