Month: October 2014

SSL woes

There I was, trying to wrap up a client’s installation but I was stuck.  This particular client has security concerns, they even have an external security company verify their installations and enforce corporate security policy.  That meant that OBIEE and EPM needed to both be secured by SSL.

I went down a rabbit hole to get SSL installed in OBIEE, that was an adventure in itself and it took me quite awhile to make sure everything was working properly.  I found a great resource from Oracle on their blogs page here: https://blogs.oracle.com/pa/resource/Configuring_OBIEE_with_Ful_End_to_End_SSL.pdf.  Thank you to  Veera Raghavendra Rao Koka for the detailed information.  I wish it was documented similarly in the BI documentation.

For awhile, I wasn’t concerned with EPM SSL.  I had implemented SSL termination at Oracle HTTP Server before in version 11.1.2.1, so I figured it would be pretty easy on 11.1.2.3.500+.  Wrong.  According to the documentation, there are only two supported scenarios for SSL deployment:

  • SSL Termination at an SSL Offloader (load balancer or bridge with SSL termination enabled)

SSL terminating at an Offloader

  • Full SSL deployment

Full SSL deployment

Hmm.  I don’t want either one of these options.  My client doesn’t really want un-encrypted traffic from their SSL bridge in their DMZ to the server inside the firewall.  So, I started to go down the path of full SSL.  This is a distributed installation, so that requires two different keystores for my servers running WebLogic JVMs, plus another keystore for Oracle HTTP Server.  I worked at it for awhile and was able to get the Foundation server deployed with full SSL.  I started the services and things appeared to be ok.  I was able to get into Workspace and click around into Shared Services fine.  I went into Calc Manager and the application appeared to be ok, but I got an error about not being able to connect to EPMA.  I tried to go into the Dimension Library, then I saw an error message:

Nested exception is: HTTP transport error:javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: Unrecognized SSL message, plaintext connection?

At this point, I had pretty much had enough.  Oracle Support’s Knowledge Base article 1904344.1 states that this is a known issue that should be fixed with Shared Services patch 11.1.2.3.501.  Unfortunately, I had already applied that patch during the installation and I was still seeing the error.  Ain’t nobody got time for that.

So, I really didn’t want to pursue full SSL at this point.  What I really wanted was to do what I had done back in 11.1.2.1 and accept SSL connections at the Oracle HTTP Server layer and terminate those SSL requests there.  That would preclude me from needing to mess with keystores at the WebLogic layer and avoid any issues with EPMA in SSL mode.  This is what I’m talking about:

SSL termination at Oracle HTTP Server

The 11.1.2.3 Security guide mentions terminating SSL at the HTTP server; however, the architecture diagram they provide is the same diagram as SSL termination at an offloader.  The above diagram is actually from the 11.1.2.1 documentation and exactly what I want.  So, I did some Google magic and found that Pablo Bryan of Infratects has a blog and documented the exact steps that I needed back in January of 2014.  You can read his blog post here: http://hyperionvirtuoso.blogspot.com/2014/01/you-have-many-options-to-secure-your_14.html.  Thank you, Pablo!

So, I took his advice and made the two or three changes to the ssl.conf and httpd.conf files.  After restarting Oracle HTTP Server, all was right with the world and my client now has encrypted communication terminating at the HTTP Server.  It really is amazing how easy it was to set up the EPM encryption at the HTTP Server compared to the full SSL required by OBIEE.

I am humbled, thank you.

Last week on Thursday, this blog achieved a milestone.  Until then, the highest number of views was 114 in a day which was set last October.  That 114-view number stood for an entire year until it was broken last Thursday by 142 views.  Also on Thursday, this blog went over 20,000 views all-time.

Yesterday, that 142 number was eclipsed by 165 views.  We broke the record again, two business days after smashing a year-long record.

Granted, these are not huge numbers, but for a niche technology blog it feels pretty amazing that there are that many people out there wanting to get some information that many of us may take for granted.  I am humbled that so many have come here for information and I thank you for reading.

Quick Followup on Essbase 11.1.2.3.504 and Calc Manager 11.1.2.3.502

On Friday, I mentioned that the patches for Essbase Server and Run-time Client 11.1.2.3.504 used the same OPatch numbers as the Essbase Server and RTC 11.1.2.3.503 patches, respectively.  I wasn’t sure if we would need to roll back those .503 patches in order to apply the .504 patch.  The answer is no, there is no need to roll back the existing .503 patch.  As I ran the .504 patches, the OPatch process did an auto-rollback of the old patch and then applied the later version of the patch.  So that was easy.

This morning, I saw that Oracle released Calc Manager 11.1.2.3.502.  There’s 7 bug fixes in this patch, and they all seem to be refinements to the product.  I did note in the readme that you should apply this Calc Manager patch to any server running the following:

  • Calculation Manager
  • Hyperion Planning
  • “Oracle Hyperion Financial Data Quality Management ERP Integrations Adapter for Oracle Applications (ERP Integrator)” (I’m sure they mean FDMEE here)
  • EAS
  • Essbase Server

So, this Calc Manager patch has the potential to be applied to every server in a distributed installation, depending on how you spread your products out.

Essbase 11.1.2.3.504

There is a flurry of activity going on with the Essbase product development team at Oracle.  Glenn Schwartzberg had the scoop on Essbase 11.1.2.3.504 that released just a few hours ago.

As I look at the current readme, I am struck by two things:

  1. This entry: “Caution: Oracle recommends using the same version of all Essbase portfolio products (Essbase, Essbase Administration Services, Hyperion Provider Services, and Essbase Studio) and components (server, client, runtime client, API, and JAPI). When only some Essbase portfolio products are included in a patch release, the last released versions of the products that are not included in the patch are supported.Essbase Administration Services 11.1.2.3.503, Provider Services 11.1.2.3.502, and Essbase Studio 11.1.2.3.502 are supported for use with Essbase 11.1.2.3.504.”
  2. And then this under Known Issues in this Patch: “The opatch ids for this patch were not updated so after unzipping the opatch file the root directory will not match the opatch id from 11.1.2.3.504 but will be the opatch ids from 11.1.2.3.503.  Any warnings from opatch can be ignored.”  I am wondering if you have applied the .503 Essbase patch, you may need to rollback that patch in order to apply the .504 patch since the IDs are the same.  I can report back on that later since I have .503 installed at a client site and now need to update it.

There are a set of patch numbers that you can search for, or just search under the Hyperion Essbase product.  There is no Essbase client MSI on Oracle Support for Windows (yet).  As per #1 above, the client for 11.1.2.3.502 should be fine as it was against Essbase 11.1.2.3.503.

Component Patch ID
Essbase Client MSI (Windows) 19613877
Essbase Client (OPatch) 19613886
Runtime Client 19613868
Essbase Server 19613865

The list of defects fixed isn’t terribly long; however, it appears that this patch addresses some instances where the Essbase server and/or applications may stop responding or terminate.  Based on that alone, it’s probably a good idea to patch any .500, .501, .502, or .503 instances to .504.

OBIEE 11.1.1.7.141014 Patch Available

On October 14, Oracle released patch 19261194 for OBIEE 11.1.1.7.141014.  This patch does not contain any new features; however, there are 86 bug fixes in the readme.  The bug fixes were in BI Publisher, BI Server, and BI Presentation Services.

One of those fixes is addressing SSO between EPM Workspace and OBIEE.  For those customers living on the edge and wanting your OBIEE presented in EPM Workspace, this might be the key to getting that integration working with SSO from Workspace into OBIEE and back into Essbase for analyses/dashboards.

Oracle Critical Patch Update Oct. 2014

Yesterday Oracle released their quarterly Critical Patch Update.  Browsing through the various readme files, I found that no Hyperion or EPM products were directly listed this quarter.  OBIEE didn’t have any new patches to its software this quarter, either.

As you browse the information provided, you can see that WebLogic 10.3.6.0 does have some low risk vulnerabilities addressed by this CPU.  Oracle’s recommendation is to apply the 10.3.6.0.9 WebLogic Server Patch Set Update (Patch 19182814) to address some of the concerns with the WebLogic application server that is installed with and supports EPM and OBIEE.

In critical environments, it would also be advised to monitor and update the supporting Java SE version installed or used with Fusion Middleware products such as EPM and OBIEE.  See Oracle Support note 1492080.1 on updating the installed Java version for Fusion Middleware products.

In reality, most EPM/BI implementations are going to be safely behind a corporate firewall and won’t worry about these too much.  If you are hosting healthcare.gov, for instance, I would hope that you would already be aware of these and patched by now.

EOL for Web Analysis and Production Reporting (SQR)

Torben Hein of Oracle released a blog post this morning outlining the product direction of Web Analysis and SQR Reporting.  You can see the original post here.

Long story short, both products have reached their maturity and will not be continued after the 11.1.2.x code line.  My interpretation is that they will still be contained in the upcoming 11.1.2.4 release of EPM that is tentatively scheduled for sometime this winter.  Beyond that, I do not see these products carrying forward.

Many customers are shifting their EPM licenses to the BI Foundation Suite (BIFS) licensing, which is great news.  This shift in licensing allows those customers the ability to use OBIEE, which is a stronger foundation for reporting, analyses, and dashboards than Web Analysis and SQR.  OBIEE also has a wider adoption rate, in my experience.

To any prospective clients looking at an upgrade, I would strongly recommend contacting your Oracle Sales Rep and asking how to shift to the BIFS licensing and then plan to move any reporting from Web Analysis and SQR over to OBIEE after your upgrade.