Resetting BISytemUser password in OBIEE 11g

 BISystemUser by default is the user that is used as an inter-bi-component communication user, this could also be used when Impersonation is used. This is refferenced by an Authenticator ( usually Defaault Authenticator unless changed to different providors like Active Directory or other directories ).

 

The credentials for this user are managed via cwallet.sso which is the default credential store under oracle.bi.system - system.user. The BISystemUser does not need any Group membership , however it would need Weblogic Global Role called 'Admin' [ P.S - This is not an 'Application Role' by any means ]. By default BISystemUser is a member of an LDAP Group called 'Administrators' which is assigned to the Weblogic Global Admin Role.

 

OracleSystemUser is used by Oracle Web Services Manager (OWSM) which is integrated with WLS EM Console to provide the management and securing of web services through administration of policies.By default OracleSystemUser is a member of OracleSystemGroup in Weblogic LDAP. This is also refferenced via Default Authenticator this could be changed by following the FWM documentation.

More information could be found : http://docs.oracle.com/cd/E21764_01/bi.1111/e10543/privileges.htm

To reset BISystemUser:
 

1. Stop the system components in Enterprise Manager.

Click on Business Intelligence >Core application> Availability

 

 

2. Log into Weblogic Console and change the BISystemUser password.

Click on security realms > myreams > user and group

 

BISystemUser > Passwords

 

 

 

3. Change password in EM:

Weblogic Domain > right click on bifoundation_domain > Security > Credentials > oracle.bi.system > system.user > Edit > change the password

 

 

4. Start BI System components from Enterprise Manager.

Click on Business Intelligence >Core application> Availability

5. Wait for 10 mins

6. Try the new password in the OBIEE URL.

 

 If you configure Oracle BI to use an Active Directory , OID etc authentication providers, then you must select a user from MSAD to use for this purpose and give that user the required permissions. You can create a new user in MSAD for this purpose or use a pre-existing user. You give the chosen user the permission they need by making them a member of the pre-existing BISystem Application Role.

 

Once you have removed the default BISystemUser from the Default Authenticator because you wanted to configure external LDAP store. You need to create another user for BISystemUser and Whilst configuring this user keep in mind of the following considerations that could cause authentication failures:

 

1. The BISystemUser which is created in the external LDAP (Active Directory or any third party user directory),  the user configuration in MSAD is should not be configured as "Reset Password on First Login" since there is not reset login screen when OBIEE is trying to use this user for its interal communication purposes.

 

2. OBIEE cannot handle special non-alphanumeric characters in the password.  See BUG 11880111 - password restrictions for bisystemuser, for more information.

 

3. Make sure the external BISystemUser in an external LDAP password and the account should be set to NEVER expire else you cannot login to OBIEE.

 

4. Make sure you have assinged correct roles and your BISYSTEM and system.user password are always synchronised.

 

5. If you have changed the password of this account but not updated the credential store with the new credentials (or have not restarted the system afterwards) authentication will fail.
 

Post your Questions/Comments.