One of the features everybody "loved" about OBIEE 11g were the Global Unique Identifiers (GUIDs), used to recognize users and groups based on an identifier that could be different from the username. The original aim of GUIDs was being able to distinguish different users sharing the same username coming from multiple Authentication Providers.
The GUIDs management could be tricky especially if they are not in sync between different environments, and could cause a wide range of errors like the inability to login or to see parts of the catalog.
[2016-10-20T09:19:04.000+02:00] [OBIPS] [ERROR:1]  [saw.security.validate.indexes] [ecid: 0058cGJgGOkBh4sawh3j6G0001QC00000B,0] [tid: 2002437888] XXXX's guid 0A8AC9E0811D11E4AF4FE155B36CBFFD in catalog doesn't match guid 49BB3BB0629311E5BFFE71BB91F31C2B in backend! Aborting! Please UpdateGuids!
After checking the Presentation Services logs (sawlog.log), the solution for most of those errors was simply regenerating GUIDs. The GUIDs regeneration method however isn't something easily doable in a production system since it requires some downtime (a reboot of both the Oracle BI Server and Presentation Services is required).
Why Would you Run Catalog Validation?
You may ask yourself:
Why is he talking about GUIDs when they have been removed in OBIEE 12c?
And you would be perfectly correct. GUIDs misalignment is not a problem anymore in OBIEE 12c but was historically only one of the issues causing catalog corruption and that would require afterwards a catalog validation.
Even without GUIDs catalog corruption is still something that could happen in OBIEE 12c: objects (e.g. analysis, dashboards, agents) owned by deleted users, broken links, corrupted files in the server are only some of the issues that could be present in any OBIEE implementation no matter which version it's installed.
Most of the time corrupted catalogs generate errors which are difficult to diagnose and the manual fixing is not always possible and never easy to do.
The Catalog Validation process, available since OBIEE 11g, is very powerful since provides a detailed analysis - and an automated fix if configured - of all the catalog corruptions.
What is Catalog Validation?
As per Oracle's documentation, the Catalog Validation (CV) procedure does the following checks:
- Ensures that each object in the catalog is larger than zero bytes: any object with zero bytes size is probably due to corruption and should be removed.
- Ensures that each item in the catalog has a valid corresponding .atr file: the .atr file contains the properties (permissions, ownership, creation date, modification date etc.) of any object in the catalog. An object without related .atr file is not visible in OBIEE's front-end.
- Ensures that each link in the catalog is valid: links to deleted or renamed dashboards and analysis will cause an error when clicked.
- Ensures that the files in the account cache are valid: this step checks that all the accounts are valid and the cache entries (storing user related information) are up to date.
- Ensures that all XML objects in the catalog pass schema validation: every object (dashboard, analysis, prompt etc.) in the catalog is stored as XML file. This step checks that the XML is valid.
- Attempts to repair object names that were damaged by ftp programs: moving catalog objects using ftp programs could corrupt the object name.
When Should You Run Catalog Validation?
I've seen Catalog Validation being used only when problems were raised, however it is a good practice to validate the catalog every time a major change is made that impacts it or on a schedule in environments where end users can directly create content.
The following is a list of cases when running a Catalog Validation could be useful:
- Before an upgrade: running CV before an upgrade and ensuring the consistency helps avoiding problems related to possible corruptions
- After an upgrade: running CV after an upgrade to ensure that content and security migration worked
- After a major change: when a major change happens in the catalog CV ensures to missing links or ownership problems are present
- After a deployment: executing CV after a production deployment to check the content migration and verify the security.
- On a schedule: execute CV on instances where end-users can create content and to verify accounts.
Please note that a catalog can have corruption even if no front-end enhancements have been made, the following are just some examples:
- Developer account deletions: all objects owned by that account will be flagged as corrupted
- Security changes: changing/deleting security roles impact catalog privileges
- File System corruption: data can be badly written in file system
- Content deletions: deleting content makes referring objects corrupted
Sometimes the OBIEE environment continues working as expected even if some of the above corruptions are present. Nevertheless on a long period those may be cause of errors especially if upgrades or changes in the security are planned.
Where Do You Run Catalog Validation?
Catalog Validation can be run in every OBIEE instance available, however the following use cases could be particularly interesting:
- Validating development catalog: once consistency of development catalog is ensured it can then be migrated forward to production
- Validating production (or smoke test) catalog: validating production catalog to ensure that code promotions happened consistently, that user homes are valid and that no objects (user created or promoted) are broken.
A particularity to note down is that if running CV with a production catalog in a different environment (e.g. development) with a different security store, then many accounts and their related content could be flagged as not-existent and deleted. As a general rule CV should be run on environments sharing the same security as where the catalog is sourced from, allowing a genuine check of the security settings.
Performing a Catalog Validation in production environment is not always possible due to the processes restarts required, a smoke test environment sharing the same security settings would be the perfect target for the test. When running Catalog Validation on a live catalog or when taking a catalog backup ensure that "Maintenance Mode" is activated: setting this flag ON (that can be found under Administration page in OBIEE's front-end) ensures that no changes can be performed in the catalog during the check or upgrade.
How Do You Run Catalog Validation?
In order to run Catalog Validation you need to:
- Stop Presentation Service[s] (obips):
Stopping the component can be achieved either in Enterprise Manager or via command line. Command line syntax has changed between OBIEE 11g and 12c, you can find the two statements in below code
# 11g Syntax
$INSTANCE_HOME/bin/opmnctl stopproc ias-component=obips1
# 12c Syntax
$INSTANCE_HOME/bitools/bin/stop.sh -i OBIPS
- Create a backup of the catalog: when performing a catalog backup 7-Zip should be the chosen tool. WinZip has know problems with catalog files (see Oracle's doc, chapter "17.10 Archiving and Unarchiving Using Catalog Manager").
- Create a backup of
instanceconfig.xmlfile in order to include the validation tags explained in the following section
- Start Presentation Service[s]: like the stop operation, this can be performed either via EM or command line. Below the code for 11g and 12c
# 11g Syntax
$INSTANCE_HOME/bin/opmnctl startproc ias-component=obips1
# 12c Syntax
$INSTANCE_HOME/bitools/bin/start.sh -i OBIPS
- Repeat the steps above until the catalog is fully validated: As explained in section below, several different assessment and automated fixes can be performed. The sawlog.log files will contain entries when corrupted object are present in the catalog. A catalog is fully validated when no corrupted objects are found during CV.
- Stop Presentation Service[s]
- Restore original
- Start Presentation Service[s]
Catalog Validation configuration
The following tags must be inserted under
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Oracle Business Intelligence Presentation Services Configuration File -->
The tags do the following. See below for an explanation of the values that can be specified:
- Validate: Main configuration tag. Possible values are
- None: No Catalog Validation is going to happen, however all the privileges and each object ACLs are cleaned for non-existing accounts
- OnStartupAndExit: Presentation Service is started, performs the validation based on the following tags and stops. This process can be reiterated multiple times with different options for each element.
- ValidateAccounts: Verifies the consistency of users, roles and groups.
- ValidateHomes: Verifies all user's homes, is executed only if ValidateAccounts is set to Report or Clean
- ValidateItems: Verifies if catalog items are consistent - size greater than zero and valid xml.
- ValidateLinks: Verifies the consistency of all links in the catalog (e.g. all analysis contained in a dashboard).
The accepted values for all settings except Validate are: are the following:
- None: no validation will be performed
- Report: a log is written for every inconsistent item in
- Clean: does the same step as Report plus removing from the catalog the inconsistent object.
As you understand the "Clean" option isn't suggested for all tags, you don't want a dashboard to be deleted only because the owner doesn't exist anymore, but it is the desired choice when you need to remove all the old or corrupted user homes. The "Report" option on the other side provides a way of logging all the corrupted items and fixing them manually.
Catalog Validation is an extremely useful tool, allowing an automated check (and fix) of all the corrupted items in the catalog. Using Catalog Validation together with Baseline Validation Tool provides a way of ensuring the correctness of migrations and developments:
- Running Catalog Validation before the migration to ensure all objects to promote are consistent
- Running Catalog Validation after the migration to ensure the consistency of all promoted objects and security
- Running Baseline Validation Tool between source and target environment to ensure the expected outputs are matching.
Summarizing Catalog Validation and Baseline Validation Tool can be considered complementary: the first checks the catalog objects and security consistency, the second analyses and compares the expected results. Running both alongside any code promotion process should be considered a good practice.