deploying obiee11g in the enterprise (ukoug 2012)

T : +44 (0) 8446 697 995 E : [email protected] W: www.rittmanmead.com

Deploying OBIEE 11g in the Enterprise

Mark Rittman, Technical Director, Rittman MeadUKOUG Conference & Exhibition, Birmingham December 2012



About the Speaker

• Mark Rittman, Co-Founder of Rittman Mead• Oracle ACE Director, specialising in Oracle BI&DW• 14 Years Experience with Oracle Technology• Regular columnist for Oracle Magazine• Author of two Oracle Press Oracle BI books• Oracle Business Intelligence Developers Guide• Oracle Exalytics Revealed• Writer for Rittman Mead Blog :

http://www.rittmanmead.com/blog• Email : [email protected]• Twitter : @markrittman


About Rittman Mead

• Oracle BI and DW platinum partner• World leading specialist partner for technical excellence, solutions delivery and innovation in Oracle BI• Approximately 50 consultants worldwide• All expert in Oracle BI and DW• Offices in US (Atlanta), Europe, Australia and India• Skills in broad range of supporting Oracle tools:

‣OBIEE‣OBIA‣ODIEE‣Essbase, Oracle OLAP‣GoldenGate‣Exadata ‣Endeca


Oracle Business Intelligence 11g

• Oracle’s business intelligence platform, now at version 11.1.1.6.x• Provides dashboards, reporting, ad-hoc analysis,

KPIs, mapping and other visualizations• Runs standalone, or embedded in

applications, called from business processes• Built around an enterprise semantic model• Based on Siebel Analytics technology,

extended by Oracle since 1997


Oracle BI Applications

• Packaged version of OBIEE that includes a data warehouse, and ETL mappings,from E-Business Suite, Siebel, SAP and Peoplesoft

• Covers areas such as Financial Analytics, HR Analytics, Sales Analytics etc• Built on the same technology as OBIEE 11g, plus ETL and administration tools


Basic OBIEE 11g Product Architecture (Single Node Enterprise Install)

•A single install is a called an “Oracle BI Domain”•Made up of Java components hosted in a WebLogic domain,

and Non-Java components in an Oracle Instance• Initial install places all components on a single server,

with the system managed by Enterprise Manager•Users access the system via a web browser (thin-client)•Developers access via a browser (EM) and via

Windows desktop tools (BI Administrator)•Typically one BI domain for DEV, one for TEST, one for PROD etc•Used in conjunction with a database (for repository schemas)


Part of Oracle Fusion Middleware 11g

•Oracle complete set of middleware servers and technologies•Based around Java, SOA, Oracle WebLogic Server and non-Java technologies•Foundation for Oracle’s applications and platforms such as Oracle Business Intelligence 11g



•Larger, “enterprise” customers may have additional requirements beyond the basic install‣ Integrating with an external identity store such as Active Directory‣ Implementing single sign-on, SSL or making parts of the BI system available externally‣Configuring the BI system for high-availability and/or failover‣ Integrating with external monitoring and diagnostic tools, or with Oracle Enterprise Manager‣The ability to manage an estate of BI systems from a

central control panel, apply patching etc•They may also want to integrate BI with their

existing “engineered systems” strategy


Integrating with External Identity Stores (OID, AD etc)

• OBIEE has a pluggable security system based around Oracle Fusion Middleware security• Out of the box configuration stores users and groups in an embedded LDAP server

‣Not designed for full production use, more to “get started”• Usual strategy for enterprise customers is to connect OBIEE (via Fusion Middleware Security)

to a corporate LDAP server such as‣Microsoft Active Directory‣Oracle Internet Directory

• External directory can be “in addition” to the embedded LDAP server, or completely replace it

• Multiple directories can be connected to OBIEE + FMW for federated identity

• Often used in conjunction with SSO, SSL and other tools‣Oracle Access Manager‣Oracle Entitlements Server etc


How Does OBIEE 11g Connect to Active Directory, OID etc?

• Many Oracle and third-party security providers and directories are supported for OBIEE 11g‣See System Requirements and Supported Platforms for Oracle BI EE 11g on OTN‣Note - not all directories supported by FMW11g are supported by OBIEE - check the list

• Recommended approach is to use WebLogic + OPSS to connect to the directory‣Init Blocks are deprecated and are a fall-back

if WLS not possible- Unsupported directory- Requirement to support legacy

ID management i.e. EBS• Configured through WebLogic Administration Console,

with AD & OID well documented


Configuring Single Sign-On and SSL for OBIEE 11g

•SSO and SSL are both configured through Enterprise Manager Fusion Middleware Control‣Or can be scripted through WLST + Oracle BI Systems Management API

•A number of Oracle and third-party SSO systems are supported•Configures the BI Presentation Server to accept pre-authorised creds. from the SSO provider


Externalizing OBIEE 11g Content Outside the Organization

• Most organizations deploy on their internal network, for internal users behind the firewall• But some may wish to deploy OBIEE 11g for external users

‣Make the BI system available for internal users, but on the road (via Web, via VPN etc)‣Make parts of it available to customers, or other external users‣Embed parts of it in other applications, e.g. Oracle WebCenter Portal‣Provide access via Oracle BI Mobile using Apple iPads, iPhones

• Security has to be a consideration though, in these scenarios


Deploying Compromisable Web Components in the Firewall DMZ

• When deploying OBIEE 11g content outside the organization, the key is to place all externally-facingservers into firewall DMZs (firewall web tier, firewall app tier)‣Relies on adding an additional HTTP server (typically OHS, with WebGate and mod_wl_ohs)‣Typically deployed as a load-balancing pair (or more) with a hardware load balancer‣If HTTP server is then compromised (hacked) it doesn’t provide access to data, other systems etc

• OBIEE components then optionally placed intoa firewall App Tier‣Separates them from the databases‣Or can just be located in the regular

internal network, with everything else


Securing Oracle BI Mobile

• Oracle BI Mobile supports SSL for connections, VPN via IOS settings• However some enterprises will still now allow applications such as these

‣Need the applications to be sandboxed, secured separate from the mobile device• Now supported with OBIEE 11.1.1.6.2 and the Oracle BI Mobile Security Toolkit

‣Sample code available on OTN for Apple iPad‣Lightweight SDK for integrating with MDM vendor of choice

• Prebuilt solutions from Good Technologies, Bitzer etc‣Makes it possible to deploy BI Mobile even with

very strict mobile app security rules


Configuring OBIEE 11g for High-Availability and Failover

• OBIEE 11g can be configured for HA and failover in several ways‣Vertical scaleout (adding components to the existing server) for BI Server etc redundancy‣Horizontal scaleout to add additional servers to the

WebLogic cluster (requires additional WLS EE license)‣Adding secondary BI Scheduler and

BI Cluster Controller components‣Adding failover and filesystem clustering to

protect WLS Administration Server and install/config files• Can also extend to the underlying

databases (repository schemas)‣Dataguard (log shipping) and RAC

(more scale-out than HA, but can allow rolling DB patching)

• How much HA do you need though, what sort of trade-off?


What Can Go Wrong within an OBIEE 11g Infrastructure?

• System components can fail on a single server‣Can protect by adding more components to the same

server, or to a separate server (active/active failover)‣BI Scheduler and BI Cluster Controller components

are active/passive, need to add secondary instances• WebLogic managed servers can fail

‣If horizontally scaled-out, WLS clustering shouldtake care of the fail, restarting if possible

• Java components within a managed server can fail‣Again, WLS should take care of these

• WebLogic administration server can fail‣Users can still log in if LDAP virtualization enabled,

and an external LDAP provider is configured


OBIEE 11g Enterprise Deployment Guide Infrastructure

• Adds additional redundancy and failover for mission-critical BI systems

• Deploys HTTP servers in a DMZ for security• Multiple redundant installs of

WLS administration server• WLS installation and configuration files

on a cluster filesystem• Use of VIPs, VHosts and other standard

abstraction / virtualization techniques• Ultimate in resilience, but complex to set up and

configure (though possible, and documented)


Monitoring and Systems Maintenance

• OBIEE 11g by default comes with two web-based consoles• Oracle WebLogic Administration Console manages WebLogic, including the LDAP server and WLS servers• Oracle Enterprise Manager Fusion Middleware Control manages Fusion Middleware, including

Oracle Business Intelligence 11g‣Some overlap in functionality‣Only manages a single BI domain‣No advanced alerting or other EM features


Oracle Enterprise Manager Cloud Control 12cR2 BI Management Pack

• Oracle Enterprise Manager Cloud Control 12cR2 is the “full” deployment of EM• Monitors databases, application servers, many other infrastructure components• Plug-ins for non-Oracle tools• Now supports OBIEE, Essbase and BI Apps through

the BI Management Pack (extra license cost)• Set alerts, monitor service levels,

monitor usage tracking etc• Perform wider WLS / FMW activities such

as cloning domains, patching etc• Also covers OBIA ETL elements, and

some Essbase metrics


Open-Source / Home-Grown Solutions : Nagios

• Free and/or open-source tools such as Nagios can be configured to monitor OBIEE functions• Enterprise monitoring tools such as those by BMC can parse OBIEE’s ODL-format log files and raise alerts• Other tools can monitor WebLogic

servers, restart them if needed• Open-format logs plus standard

hooks into WLS and OPMN functionality make most monitoringpossible with a bit of work


Oracle’s Hardware and Software Strategy : Engineered Systems

•Purpose-built engineered systems for large-scale data analysis•Oracle Exadata for filtering and advanced analytics against large relational data sets•Oracle Big Data Appliance supporting Oracle NoSQL, R and Apache Hadoop

Any Data,Any Source Oracle Exadata Oracle Big Data Appliance


Oracle Exalytics : First In-Memory Engineered System for Analytics

•Relational, Multi-Dimensional and Unstructured data analysis available as a single engineered system•Combination of in-memory hardware and optimized software versions•Supports the Exadata and Big Data Appliance data management systems

Exalytics In-Memory

Machine

Spans Relational, Multi-Dimensional, and Unstructured analysis, combined with Financial & Operational PlanningIn-Memory Optimized HardwareIn-Memory Oracle BI, TimesTen, Essbase, and EndecaMany In-Memory Software Innovations‣Tightly-Integrated with Exadata, and Big Data Appliance


More Information

•Thank you for attending this presentation, and more information can be found at http://www.rittmanmead.com•Contact us at [email protected] or [email protected]•Look out for our book, “Oracle Business Intelligence Developers Guide” out now!•Follow-us on Twitter (@rittmanmead) or Facebook (facebook.com/rittmanmead)



Mark Rittman, Technical Director, Rittman MeadUKOUG Conference & Exhibition, Birmingham December 2012


deploying obiee11g in the enterprise (ukoug 2012)

Technology

oracle exalytics

oracle bidw

oracle bi domain

oracle bi applications

oracle bi ee

oracle weblogic server

oracle enterprise manager

rittman mead oracle