Technical Note 451: Configuring Siebel Analytics version 7.

5 integrated authentication mechanism

Last Modified: Area(s): Release(s): Database(s): App Server OS(s): Latest release tested against: Keywords: 22 August 2003 Siebel Analytics V7 (Enterprise) DB2, Microsoft, Oracle AIX, Solaris, Windows NT, Windows 2000, HP-UX V7 (Enterprise) Analytics, Integrated, repository, single sign-on

Background In an integrated Siebel Analytics environment users that are logged in are automatically authenticated in Siebel Analytics when they select any Analytics specific dashboard tab or Answers link. This authentication mechanism is pre-configured in Siebel eBusiness applications and the Siebel Analytics repository file, siebelanalytics.rpd. This technical note provides details about this pre-configured authentication mechanism and the implementation specific information that needs to be substituted in the siebelanalytics.rpd file for this mechanism to work. Summary Configuration steps for siebelanalytics.rpd for Integrated Analytics Shut down the Analytics server and open the siebelanalytics.rpd file using the Siebel Analytics Administration Tool in offline mode to make changes detailed below. Configuring SiebelAnalytics.rpd connection settings: The standard siebelanalytics.rpd repository comes preconfigured with DB2 connections in physical layers. Depending on the type and physical connection information the following changes should be made in siebelanalytics.rpd repository file: Change the default values of the static variables. Change the data-source type if database is not DB2. Provide the correct physical database connection information.

Note that these changes should be made for all the physical data-sources in the physical layer. In particular, the Siebel OLTP data-source must be changed as it is used by the integrated analytics for single sign-on and to authenticate users defined in Siebel eBusiness application.

Changing static variables: siebelanalytics.rpd comes preconfigured with default suggested values for the physical connection to the database. These values are defined as static variables in the repository and should be changed to reflect the correct physical connection information. To make this change, open the static variables information using Menu option: Manage > Variables > Static. The following variables may require changes for local database connectivity: OLTP_USER: by default this is set to SIEBEL and is assumed that this user has access to all OLTP tables. If this is different in the implementation, change it to the correct value. OLAP_USER: by default this is set to SIEBEL and is assumed that this user has access to all OLAP tables. If this is different in the implementation, change it to the correct value. OLAP_DSN: this is the native database connection information for the physical database containing all OLAP tables. For example, for Oracle 8i/9i this is tnsnames entries.

Note that Siebel Analytics uses native database connectivity for most popular databases, for example, DB2 and Oracle 8i/9i. It uses ODBC for MSSQL 2000 or any other database type where native connectivity is not directly supported. TBO and OLTPTBO are the database users who own physical database tables for OLAP and OLTP databases. The default values are SIEBEL, but should be changed to the correct database user value if it is different.

Changing Data-source type: Only required if the physical database type is not DB2 UDB version 7. Double click on the Data-Source and select the appropriate Database value Oracle 8i/9i for Oracle 8.1.7 and above ODBC 3.5 for MSSQL 2000

Changing Connection Pool setting and Password: Change Connection Pool settings for 2 DB connection pools under Siebel OLTP physical data-source Open the connection pool OLTP connection pool for the Siebel OLTP data-source. Provide the correct password for the user VALUEOF(OLTP_USER), this value will be substituted with the value defined in the static variables section above, for example, SIEBEL. Note that the default value is db2. If the data-source type was changed in the previous step, for example, from DB2 to Oracle 8i/9i, then the Call interface will also change accordingly, for example, OCI 8.1 for Oracle 8i/9i.

Note that no change in username/password is required for the OLTP DbAuth Connection Pool. Keep the default values :USER and :PASSWORD as they will be substituted with correct values passed from Siebel OLTP.

Change Connection Pool settings for all other connection pools for all the physical datasources Open all other connection pools and provide the correct password for the VALUEOF (OLAP_USER). The default password is db2.

Changes to other physical data-sources: The standard siebelanalytics.rpd contains mapping for both Siebel horizontal and many vertical applications such as Siebel Industrial Applications and Siebel Pharma. If a particular implementation is licensed to use other vertical models then appropriate changes should also be made in all relevant physical data-sources as above. How single sign-on works in an integrated environment The following steps are performed internally for Single Sign-on in an integrated environment: 1. User logs in into Siebel eBusiness application by providing correct login information. Note that for any Siebel user a record always exist in the S_USER table. 2. The Siebel Analytics Integrated environment uses Symbolic URL feature to directly access the Siebel Analytics Web pages from within the Siebel eBusiness Web Client. This symbolic URL information is already imported into Siebel enterprise database as seed data during installation or upgrade and can be viewed from View > Site Map > Integration Admin > Symbolic URL Administration view. Query the list for a URL like *NQHOST*. Here NQHOST is also defined in the View > Site Map > Integration Admin >

Host Administration for the Virtual Name NQHOST. 3. When a user clicks on a Siebel Analytics tab to access a dashboard the corresponding Symbolic URL is sent to the Web server running Analytics Web. In addition the users authentication information, that is, NQUSER and NQPASSWD is also passed on the Analytics Web Server. 4. User authentication information is sent to the Siebel Analytics Server. In the integrated repository file, siebelanalytics.rpd, an initialization block Authentication is predefined. This initialization block executes a simple SQL statement Select ':USER from VALUEOF(TBO).S_USER U WHERE U.LOGIN=':USER' Using the "Siebel OLTP"."OLTP DbAuth Connection Pool" DB connection pool. This connection pool uses Username = :USER and Password = :PASSWORD Using the above SQL if the logged in username is a valid Siebel OLTP user then the Analytics servers session variable :USER will have correct value. After successful execution of the authentication initialization block, the following additional initialization blocks are executed to initialize additional session variables in Siebel Analytics: Authorization LOGIN Properties

The following is a step-by-step process example for a particular user a. User jsmith with correct password, for example, jsmithpasswd, logs in into the Siebel eBusiness application. b. Upon successful login, the user selects the Service Analytics tab to access the Service Dashboard in Siebel Analytics Web. c. Pre-defined symbolic URL information for the Dashboard Service Analytics is retrieved and is passed on to Siebel Analytics Web. In addition user authentication information is also sent to the Analytics Web server.

d. The Analytics Web Server sends the authentication information to the Siebel Analytics Server. The predefined initialization block Authentication is invoked and the SQL provided previously is executed using "Siebel OLTP"."OLTP DbAuth Connection Pool" DB connection with the username/password :USER = jsmith and :PASSWORD=jsmithpasswd. e. Since the above is a correct username/password the user is able to successfully log into the OLTP database and the SQL is successfully executed. The Analytics session variable :USER is set to the value jsmith. f. After this the Authorization and LOGIN Properties initialization blocks are executed and additional System variables are initialized. Note: The Siebel Admin login SADMIN is also defined in the siebelanalytics.rpd file as a repository user. Therefore, if the user logs in with SADMIN in Siebel eBusiness app and the above query fails it can still log in because of repository User information. Also the default password for SADMIN is defined as SADMIN in the repository and should be changed.

Troubleshooting the integrated Analytics login problems 1. Users can login as SADMIN with the correct Password into a Siebel eBusiness application but when they navigate to Analytics Dashboard they get the Siebel Analytics login screen. Make sure that connection pool information is changed appropriately in the Analytics repository file siebelanalytics.rpd. Also make sure that default password for SADMIN user has been changed in the repository file if required. 2. Users can login as SADMIN user and can see all the Analytics Dashboards but it shows the Analytics login screen with any other user. Make sure that connection pool information is changed appropriately in the Analytics repository file siebelanalytics.rpd. If this is correct then NQQuery.log file should show the query executed successfully and returned one row. 3. How can users test that their connection pools are set correctly? In the Manage initialization blocks there is a Test button to test if the particular SQL in the block is correct for the selected connection pool. Also in the Physical Layer, right click on any table defined under the physical source and select Update row count. If row count correctly shows up then connection pool is set correctly.

4. If LDAP is used to authenticate users at Siebel OLTP level, what additional configuration steps are required in integrated Analytics environment? For LDAP authentication in Siebel Analytics, a separate initialization block should be defined in the .rpd file. Steps to configure this are documented in the Siebel Analytics Administrator guide.