Just Analytics Blog | Performance Management News, Views and Op-ed

Securing OBIEE 11g Environment for Mobile Access

Written by Hemanta Banerjee | Nov 26, 2014 2:48:00 PM

 

In most of the cases, our customers deploy OBIEE inside their network for use within their environment. However this goes out of the window when we are talking about of mobile. Mobile by definition means that my users should be able to access their data on their mobile or tablets while they are out and about. The whole idea being that BI should be integrated into their normal work routines and people on the go such as sales people, executives, field engineers etc. should be able to access critical information whenever and wherever needed.

In order to achieve mobile BI do we need to expose our BI server on the internet? Hopefully No !!! So the question is how we do this without exposing my entire BI Environment. Doing it the traditional way means that my entire BI environment including Weblogic Application server, BI Services and maybe even the database needs to be made visible on the internet. Is that secure…. NOT, and hence I do not think any network security team will allow it.


However this is not a new problem. It problem has been solved most essential services like mail servers by creating DMZ. For those who do not know what a DMZ is you can refer to a nice article on WIKIPEDIA where there is a detailed discussion on DMZ.

You can secure your application by isolating the presentation portion of the application i.e. the web server and placing it in the DMZ and separating it from the application server which is in a different protected network. The architecture looks somewhat like this

((Wikipedia, n.d.) http://en.wikipedia.org/wiki/Image:DMZ_network_diagram_2_firewalls.png)

 

Web Server in the DMZ is permitted to have only limited connectivity to the BI Server in the internal network, as the content of DMZ is not as secure as the internal network.
When deploying OBIEE 11g content outside the organization all you need is an additional HTTP server, preferably an Oracle HTTP Server (OHS), which is placed in the DMZ. OHS is a Web Server based on Apache HTTP Web Server and provides the following benefits:
• Deliver HTTP Listener for Oracle WebLogic Server through built-in WebLogic Web Server Proxy Plug-In.
• Deliver Web Server component for Fusion Middleware.
• Serve static web content such as HTML, JavaScript, Images etc, and dynamic web content built with CGI/FastCGI based applications.

 

How to set up the environment?
• Install OHS on DMZ Server to redirect traffic from default port 80 (if SSL is not enabled) or 443 (if SSL is enabled) to 9704 port which is the default used by the OBIEE reporting services. Refer to the mod_wl_ohs.conf for more details on specific settings (or refer to HTTP server setup blog here).
• The choice of SSL between the client and OHS is recommended especially given the sensitive nature of the data. However how much SSL is too much SSL. Between the DMZ and the LAN I would recommend not having SSL since the overhead of SSL will slow down the reports.
• This makes sure that even if OHS is compromised the hacker cannot access the BI Server, SAW Server, Database etc.
• You can also decide whether you want both intranet and internet users to always use the same URL (i.e. the OHS in the DMZ). If not you can setup the DNS internally to resolve to a different OHS server for the intranet users.

You can refer to this post on how to setup OHS to get more details of the specific steps for OHS installation and configuration.

In summary Mobile BI is a brand new paradigm in accessing BI content. While some things remain the same (Good BI Model, Good data model, efficient queries etc.) you need to now also ensure that in the process of doing so you do not forget performance and security.
More details on further tuning your OHS environment can be found here.