Introduction to Oracle Business Intelligence Web Services 1-3 wsil.browsing key to the credential store, see Adding and Maintaining Credentials for Use With the Action Framework .

1.4 Configuring and Securing the Oracle Business Intelligence Web Services for SOA

During installation, each Web service executeAgent, executeAnalysis, and executeCondition is assigned the policy:oraclewss_username_token_service_policy security policy. This policy requires the calling SOAP message to include a user name and token password in the WS-Security header. The user credentials that are passed to Web services through the incoming SOAP message can be any valid business intelligence user who has the proper access to the target business intelligence object being invoked. This method of security means that Web services can be called in a single step without first retrieving a session ID. Note that if required, you can change the security policy used by the Web services to any security policy available in Oracle WebLogic Server. Whereas invoking Web services uses the credentials passed in the calling SOAP message to invoke the target functionality, browsing the Web services using the WSIL uses a single user account. It is not currently possible to invoke the browsing mechanism using the credentials of the user performing the browsing using this mechanism. To enable browsing for Web services, you must go to Oracle Enterprise Manager, access the oracle.bi.enterprise map, which is located on the bifoundation_domain, and manually add the wsil.browsing credential to the credential store. This key holds the user ID and password for the valid user defined in the identity store. For example, if you want to browse for target web services as the user abell, you will add the credentials of abell to the wsil.browsing key in the credential store. In practice, a special user should be created in the identity store specifically for browsing the catalog for use with this functionality. This user should not have any business intelligence objects in their personal folder my folders, as other users will not be able to invoke this functionality. For more information about setting up users and credentials, seeOracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition.

1.5 Enabling SSL for Web Services Communication

Oracle recommends that you enable HTTPS on the Managed Server that hosts the Analytics and BI middleware J2EE applications. Un-encrypted credentials that are passed to the target web service may be intercepted, and using SSL is a way to mitigate this risk. After you set up SSL, see Invoking Oracle Business Intelligence Web Services Over HTTPS for information about certificates.

1.6 Invoking Oracle Business Intelligence Web Services Over HTTPS

To invoke Oracle Business Intelligence Web Services when using HTTPS, the client calling the Web service on the server for example, Oracle BPEL calling Oracle Business Intelligence Web Services for SOA needs to trust the server certificate. The server may have an authentic certificate provided by a well-known certificate authority, in which case the client may trust the server certificate without further configuration. However, by default, this is not the case, and the root certificate used by the Weblogic Managed Servers that are hosting the web services should be imported 1-4 Oracle Fusion Middleware Integrators Guide for Oracle Business Intelligence Enterprise Edition into the appropriate keystore of the Web services client that is calling these Web services. Oracle recommends that in a production environment you use a certificate signed by a well-know certificate authority. Use the following procedure to confirm the location of the root certificate of the Managed Servers that the Web services client needs to trust. To confirm the location of the root certificate: 1. Open the Weblogic console in a browser. By default, the location of the Weblogic console is: http:host:7001console. 2. From the Oracle WebLogic Server Administration Console, select the SSL tab and go to the Identity area. By default, the Certificate location is from the Demo Identity Keystore. If this is the case, navigate to the Keystores tab and review the location of the Demo Identity Keystore. Note that the Demo Identity Keystore’s default location is: middleware_homewlserver_10.3_serverlibDemoIdentity.jks 3. Use the Oracle Keytool utility to view and export the root certificate.