OBIEE

Oracle Critical Patch Update Q1, 2015 – OBIEE 11.1.1.7.150120

Oracle’s quarterly Critical Patch Update came out today (1/20/2015).  While the Hyperion products did not have any critical patches come out in the last quarter from a security perspective, the OBIEE products were included.  Taking a look at the document, OBIEE and BI Publisher are listed as requiring a recommended security patch (number 20124371).

The OBIEE 11.1.1.7.150120 comments on the My Oracle Support Document 1488475.1 state that this will likely be the last bundle patch for the 11.1.1.7 version.

Per the readme:

The Oracle BI EE Suite Bundle Patch 11.1.1.7.150120 under the top-level patch 20124371 consists of the following component patches:

Patch Abstract
16913445 Oracle Business Intelligence Installer (BIINST)
19822893 Oracle Business Intelligence Publisher (BIP)
19825503 Enterprise Performance Management Components Installed from BI Installer 11.1.1.7.0 (BIFNDNEPM)
19822857 Oracle Business Intelligence Server (BISERVER)
19822826 Oracle Business Intelligence Presentation Services (BIPS)
19823874 Oracle Real-Time Decisions (RTD)
16997936 Oracle Business Intelligence ADF Components (BIADFCOMPS)
20022695 Oracle Business Intelligence Platform Client Installers and MapViewer

This release has no new features; however, there are 130+ new bug fixes in this bundle patch.

In addition to this patch, the Dynamic Monitoring Service Patch (number 16569379) and Patch 18277370 for running Enterprise Manager in IE11 are also required.  If it’s a new install or you haven’t updated your BI Mobile Application Designer, it would be a good time to install patch number 18794832 as well.

*** EDIT 1/23/2015 – after multiple people found the note in Oracle KB Article 1488475.1, the note was removed from the document.  Oracle reserves the right to patch if necessary; however, I have a feeling development is going to be more focused on the 12c version of OBIEE.

SSL woes

There I was, trying to wrap up a client’s installation but I was stuck.  This particular client has security concerns, they even have an external security company verify their installations and enforce corporate security policy.  That meant that OBIEE and EPM needed to both be secured by SSL.

I went down a rabbit hole to get SSL installed in OBIEE, that was an adventure in itself and it took me quite awhile to make sure everything was working properly.  I found a great resource from Oracle on their blogs page here: https://blogs.oracle.com/pa/resource/Configuring_OBIEE_with_Ful_End_to_End_SSL.pdf.  Thank you to  Veera Raghavendra Rao Koka for the detailed information.  I wish it was documented similarly in the BI documentation.

For awhile, I wasn’t concerned with EPM SSL.  I had implemented SSL termination at Oracle HTTP Server before in version 11.1.2.1, so I figured it would be pretty easy on 11.1.2.3.500+.  Wrong.  According to the documentation, there are only two supported scenarios for SSL deployment:

  • SSL Termination at an SSL Offloader (load balancer or bridge with SSL termination enabled)

SSL terminating at an Offloader

  • Full SSL deployment

Full SSL deployment

Hmm.  I don’t want either one of these options.  My client doesn’t really want un-encrypted traffic from their SSL bridge in their DMZ to the server inside the firewall.  So, I started to go down the path of full SSL.  This is a distributed installation, so that requires two different keystores for my servers running WebLogic JVMs, plus another keystore for Oracle HTTP Server.  I worked at it for awhile and was able to get the Foundation server deployed with full SSL.  I started the services and things appeared to be ok.  I was able to get into Workspace and click around into Shared Services fine.  I went into Calc Manager and the application appeared to be ok, but I got an error about not being able to connect to EPMA.  I tried to go into the Dimension Library, then I saw an error message:

Nested exception is: HTTP transport error:javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: Unrecognized SSL message, plaintext connection?

At this point, I had pretty much had enough.  Oracle Support’s Knowledge Base article 1904344.1 states that this is a known issue that should be fixed with Shared Services patch 11.1.2.3.501.  Unfortunately, I had already applied that patch during the installation and I was still seeing the error.  Ain’t nobody got time for that.

So, I really didn’t want to pursue full SSL at this point.  What I really wanted was to do what I had done back in 11.1.2.1 and accept SSL connections at the Oracle HTTP Server layer and terminate those SSL requests there.  That would preclude me from needing to mess with keystores at the WebLogic layer and avoid any issues with EPMA in SSL mode.  This is what I’m talking about:

SSL termination at Oracle HTTP Server

The 11.1.2.3 Security guide mentions terminating SSL at the HTTP server; however, the architecture diagram they provide is the same diagram as SSL termination at an offloader.  The above diagram is actually from the 11.1.2.1 documentation and exactly what I want.  So, I did some Google magic and found that Pablo Bryan of Infratects has a blog and documented the exact steps that I needed back in January of 2014.  You can read his blog post here: http://hyperionvirtuoso.blogspot.com/2014/01/you-have-many-options-to-secure-your_14.html.  Thank you, Pablo!

So, I took his advice and made the two or three changes to the ssl.conf and httpd.conf files.  After restarting Oracle HTTP Server, all was right with the world and my client now has encrypted communication terminating at the HTTP Server.  It really is amazing how easy it was to set up the EPM encryption at the HTTP Server compared to the full SSL required by OBIEE.

OBIEE 11.1.1.7.141014 Patch Available

On October 14, Oracle released patch 19261194 for OBIEE 11.1.1.7.141014.  This patch does not contain any new features; however, there are 86 bug fixes in the readme.  The bug fixes were in BI Publisher, BI Server, and BI Presentation Services.

One of those fixes is addressing SSO between EPM Workspace and OBIEE.  For those customers living on the edge and wanting your OBIEE presented in EPM Workspace, this might be the key to getting that integration working with SSO from Workspace into OBIEE and back into Essbase for analyses/dashboards.

Oracle Critical Patch Update Oct. 2014

Yesterday Oracle released their quarterly Critical Patch Update.  Browsing through the various readme files, I found that no Hyperion or EPM products were directly listed this quarter.  OBIEE didn’t have any new patches to its software this quarter, either.

As you browse the information provided, you can see that WebLogic 10.3.6.0 does have some low risk vulnerabilities addressed by this CPU.  Oracle’s recommendation is to apply the 10.3.6.0.9 WebLogic Server Patch Set Update (Patch 19182814) to address some of the concerns with the WebLogic application server that is installed with and supports EPM and OBIEE.

In critical environments, it would also be advised to monitor and update the supporting Java SE version installed or used with Fusion Middleware products such as EPM and OBIEE.  See Oracle Support note 1492080.1 on updating the installed Java version for Fusion Middleware products.

In reality, most EPM/BI implementations are going to be safely behind a corporate firewall and won’t worry about these too much.  If you are hosting healthcare.gov, for instance, I would hope that you would already be aware of these and patched by now.

EOL for Web Analysis and Production Reporting (SQR)

Torben Hein of Oracle released a blog post this morning outlining the product direction of Web Analysis and SQR Reporting.  You can see the original post here.

Long story short, both products have reached their maturity and will not be continued after the 11.1.2.x code line.  My interpretation is that they will still be contained in the upcoming 11.1.2.4 release of EPM that is tentatively scheduled for sometime this winter.  Beyond that, I do not see these products carrying forward.

Many customers are shifting their EPM licenses to the BI Foundation Suite (BIFS) licensing, which is great news.  This shift in licensing allows those customers the ability to use OBIEE, which is a stronger foundation for reporting, analyses, and dashboards than Web Analysis and SQR.  OBIEE also has a wider adoption rate, in my experience.

To any prospective clients looking at an upgrade, I would strongly recommend contacting your Oracle Sales Rep and asking how to shift to the BIFS licensing and then plan to move any reporting from Web Analysis and SQR over to OBIEE after your upgrade.

July 2014 Oracle Quarterly Critical Patch Availability

Today Oracle released a list of vulnerabilities to the EPM and related BI software along with a host of other products.  See the full announcement here: http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

This one was interesting as my beloved Hyperion products were mentioned.  Seven vulnerabilities were identified with Hyperion products.  It was interesting that most of the patches for these vulnerabilities have been out for a little while, so hopefully you have already mitigated some of these.  Here is list of defects for Hyperion:

7-15-2014 5-25-14 PM

If you clicked the link from the announcement to My Oracle Support note number 1666884.1, the Patch Set Update and Critical Patch Update July 2014 Availability Document, will give you the patches to fix each vulnerability.

Patch Availability for Oracle Hyperion Analytic Provider Services

Product Home Patch Advisory Number Comments
11.1.2.3 SPU Patch 17767293 CVE-2014-4246  11.1.2.3.500 PSU
11.1.2.2 SPU Patch 18148649 CVE-2014-4246  11.1.2.2.106 PSU

Patch Availability for Oracle Hyperion BI+

Product Home Patch Advisory Number Comments
11.1.2.3 SPU Patch 17529887 and SPU Patch 18383790 CVE-2014-0436  11.1.2.3.500 PSU (included in 17767293) and 11.1.2.3.500 Client Installers PSE
11.1.2.2 SPU Patch 18659116 and SPU Patch 18856417 CVE-2014-0436 I could not find these patches. The links do not show the patch.

 

Patch Availability for Oracle Hyperion Common Admin

Product Home Patch Advisory Number Comments
11.1.2.3 CPU Patch 18672071 CVE-2014-4269, CVE-2014-4270 11.1.2.3.501 PSU for Shared Services
11.1.2.2 CPU Patch 18659116 CVE-2014-4269, CVE-2014-4270 I could not find this patch either.

 

Patch Availability for Oracle Hyperion EAS

Product Home Patch Advisory Number Comments
11.1.2.3 Admin Server Patch 17417347Admin Console Patch 17417344 Released January 2014  11.1.2.3.002 PSU, should also be included in 11.1.2.3.501 PSU
11.1.2.2 Admin Server Patch 17277761Admin Console Patch 17277764 Released January 2014  11.1.2.2.104 PSU
11.1.2.1 Admin Server Patch 17545122Admin Console Patch 17545124 Released January 2014  11.1.2.1.107 PSU

 

Patch Availability for Oracle Hyperion Enterprise Performance Management Architect

Product Home Patch Advisory Number Comments
11.1.2.3 SPU Patch 17529887 and SPU Patch 18383790 CVE-2014-4203, CVE-2014-4206  11.1.2.3.500 PSU and 11.1.2.3.500 Client Installers PSE
11.1.2.2 SPU Patch 18659116 and SPU Patch 18856417 CVE-2014-4203, CVE-2014-4206  I could not find this patch either.

 

Patch Availability for Oracle Hyperion Essbase

Product Home Patch Advisory Number Comments
11.1.2.3 SPU Patch 18505489 CVE-2014-4271  11.1.2.3.501 PSU
11.1.2.2 SPU Patch 18520684 CVE-2014-4271  11.1.2.2.000 Patch Set Update Exception (PSE): 11.1.2.2.106 (18520684)

 

Patch Availability for Oracle Hyperion Strategic Finance

Product Home Patch Advisory Number Comments
11.1.2.2 CPU Patch 14593946 Released April 2014 11.1.2.2.301 PSU
11.1.2.1 CPU Patch 17636270 Released April 2014 11.1.2.1.103 PSU

 

In addition to the application patches, we also find that WebLogic Server 10.3.6.0 is listed.  This is important because it is part of our installation of EPM 11.1.2.x and most of us take it for granted.

Patch Set Update Availability for Oracle WebLogic Server

Product Home Patch Advisory Number Comments
Oracle Java SE home JDK/JRE 6 Update 81:

 See Note 1492980.1How to Maintain the Java SE Installed or Used with FMW 11g Products
Oracle JRockit 28.x home R28.3.3- Patch 18763693
WebLogic Server 10.3.6.0.0 home PSU 10.3.6.0.8 Patch 18040640 CVE-2014-2480, CVE-2014-2481, CVE-2014-4256, CVE-2014-4242, CVE-2014-4253, CVE-2014-4267, CVE-2014-4255, CVE-2014-4254, CVE-2014-2479, CVE-2014-4210, CVE-2014-4241, CVE-2014-4217, CVE-2014-4201, CVE-2014-4202 See Note 1306505.1Announcing Oracle WebLogic Server PSUs (Patch Set Updates)For CVE-2014-4256, see Note 1903763.1, Download Request for Security Configuration

 

Also note in the announcement that there is a patch for OBIEE’s Mobile App Designer.

Patch Availability for Oracle Business Intelligence App Mobile Designer

Product Home Patch Advisory Number Comments
11.1.1.7.0 SPU Patch 18794832 CVE-2014-4249 Must delete existing MAD deployment and install this one.  Check the readme.

 

This appears to be a replacement for the entire MAD install.  Going forward, I will use the Oracle BI Mobile App Designer patch 18794832 instead of the older 17220994 patch.  This patch came out on 6/3, so they aren’t very good about announcing these patches.  I guess that’s why we should be reading these quarterly announcements to find out what has been fixed.

 

New OBIEE 11.1.1.7 patches – IE10 compatibility

I haven’t done much OBIEE work lately; however, the OBIEE patch posts I have done in the past remain one of the most popular topics on my blog.  Since the release of 11.1.1.7.1, there have been two new patches released.

OBIEE 11.1.1.7.1.131017 released back in October of 2013.  There were a few notable new features:

There are eight component patches that are served by one patch number: 17530796.  Once these component patches have been applied, you may also apply patch 17220944 for the BI Mobile App Designer if it has not been previously installed.

Patch 17530796 includes the following:

  • Patch 16913445 – Oracle Business Intelligence Installer (BIINST)
  • Patch 17463314 – Oracle Business Intelligence Publisher (BIP)
  • Patch 17300417 – Enterprise Performance Management Components Installed from BI Installer 11.1.1.7.0 (BIFNDNEPM)
  • Patch 17463395 – Oracle Business Intelligence Server (BISERVER)
  • Patch 17463376 – Oracle Business Intelligence Presentation Services (BIPS)
  • Patch 17300045 – Oracle Real-Time Decisions (RTD)
  • Patch 16997936 – Oracle Business Intelligence ADF Components (BIADFCOMPS)
  • Patch 17463403 – Oracle Business Intelligence Platform Client Installers and MapViewer

In addition to the above patch, the Dynamic Monitoring Service patch 16569379 and of course, the BI Mobile App Designer patch 17220944.

Before getting too excited about applying 11.1.1.7.131017, on January 14, 2014, OBIEE 11.1.1.7.140114 was released as patch 17886497.  This patch may be applied to OBIEE 11.1.1.7.0 or 11.1.1.7.1.

There were no new features in this patch, although Oracle did fix a few bugs in some of the products since the prior patch.  Not all of the patches contained in 11.1.1.7.140114 are new, only the following products were actually changed for this patch:

  • Oracle Business Intelligence Publisher (BIP)

  • Oracle Business Intelligence Server (BISERVER)

  • Oracle Business Intelligence Presentation Services (BIPS)

  • Oracle Business Intelligence Platform Client Installers and MapViewer

Patch 17886497 includes the following patches:

  • Patch 16913445 – Oracle Business Intelligence Installer (BIINST)
  • Patch 17922352 – Oracle Business Intelligence Publisher (BIP)
  • Patch 17300417 – Enterprise Performance Management Components Installed from BI Installer 11.1.1.7.0 (BIFNDNEPM)
  • Patch 17922552 – Oracle Business Intelligence Server (BISERVER)
  • Patch 17922596 – Oracle Business Intelligence Presentation Services (BIPS)
  • Patch 17300045 – Oracle Real-Time Decisions (RTD)
  • Patch 16997936 – Oracle Business Intelligence ADF Components (BIADFCOMPS)
  • Patch 117922577 – Oracle Business Intelligence Platform Client Installers and MapViewer

In addition to the above patch, the Dynamic Monitoring Service patch 16569379 and of course, the BI Mobile App Designer patch 17220944 (both are the same as above).

As always, the best advice I can give for installing these patches is to read and follow the instructions in the README files that are included with each of the patches.  For these OBIEE patches, often the main patch download includes the instructions that should be applied for each of the patches contained within.

OBIEE 11.1.1.7.1 patching

Just last week I installed OBIEE 11.1.1.7 and patched it to version 11.1.1.7.1 which was released back in July, I believe.  I went to my trusty Oracle Support document (Doc ID 1488475.1), and found that someone from Oracle had gutted the article of virtually all helpful information on the various OBIEE patches available for versions 11.1.1.6 and 11.1.1.7.  Thankfully, I was able to find Doc ID 1566124.1, which states the patches that make up OBIEE 11.1.1.7.1.

The six OBIEE-specific patches are combined into one download as patch number 16556157.  Also required during the patching is patch number 16569379.  These patches are available on the My Oracle Support site (https://support.oracle.com) and are installed as previously covered on this blog.  Be sure to read the readme file in the Patch 16453010 folder for any questions.

Patch 16556157 – OBIEE BUNDLE PATCH 11.1.1.7.1 (Patch) is comprised of the following patches, which are not available separately:

  • Patch 16453010 – Patch 11.1.1.7.1 (1 of 6) Oracle Business Intelligence Installer (BIINST)
  • Patch 16849017 – Patch 11.1.1.7.1 (2 of 6) Oracle Business Intelligence Publisher (BIP)
  • Patch 16916026 – Patch 11.1.1.7.1 (3 of 6) Enterprise Performance Management Components Installed from BI Installer 11.1.1.7.0 (BIFNDNEPM))
  • Patch 16850553 – Patch 11.1.1.7.1 (4 of 6) Oracle Business Intelligence Server (BIS)
  • Patch 16842070 – Patch 11.1.1.7.1 (5 of 6) Oracle Business Intelligence Presentation Services (BIPS)
  • Patch 16869578 – Patch 11.1.1.7.1 (6 of 6) Oracle Business Intelligence Platform Client Installers and MapViewer

Also you must download:

Patch 16569379 – Dynamic Monitoring Service patch

Oracle states the following caveats as well:

  • Be aware that a small number of the bug fixes that became available in the 11.1.1.6.9 through 11.1.1.6.11 Suite Bundle Patches are not available in the 11.1.1.7.1 Suite Bundle Patch. Carefully review the list of bugs that are fixed in this Suite Bundle Patch before applying it to your system.
  • Oracle Exalytics customers must not install this Oracle Business Intelligence Suite Bundle Patch unless it is certified for the specific Oracle Exalytics Patch or Patchset Update that they are applying. For more information see Oracle Fusion Middleware Installation and Administration Guide for Oracle Exalytics In-Memory Machine and the Oracle Exalytics certification information.
  • For Oracle Fusion Applications customers, this Oracle Business Intelligence Suite Bundle Patch will be applied as part of a Fusion Applications installation or upgrade. Oracle Fusion Applications customers must not apply this Suite Bundle Patch independently.
  • The Oracle Business Intelligence Suite Bundle Patch 11.1.1.7.1 is cumulative and might include patches that you might have already applied to the Oracle BI system. Therefore, when you install the Suite Bundle Patch, you might see warning messages that indicate that earlier patches are being rolled back. These warnings simply indicate that oPatch is working correctly, and do not require any action.
  • If you have horizontally scaled out the Oracle BI system on to multiple machines, then you must apply the Oracle Business Intelligence Suite Bundle Patch 11.1.1.7.1 and the Dynamic Monitoring Service patch to all machines in the cluster.
  • When the installation of the Suite Bundle Patch is complete and the Oracle BI system is running again, end users might experience unexpected behavior due to pre-existing browser sessions that cache javascript from the earlier Oracle BI release. To avoid unnecessary support requests, ask all end users to clear their browser cache.

Exalytics Installation in progress

Exalytics Installation in progress

Today I began my first of three Exalytics installations at a client. I am geeking out just working on the hardware.

Rather than having Oracle do the software installation, this client has opted for me to install EPM and OBIEE on these servers. The standard installation for EPM is Essbase only where this client is going to host the majority of their EPM stack (Planning and Essbase along with other requisite software) on the Exalytics servers and HFM/FDM/ODI/EPMA on Windows.

The Exalytics server isn’t that much different from any other 64-bit Linux server with the exception of the 1TB of RAM and 40 processing cores.  The OS is Oracle Linux release 5.5, which appears to be based on Red Hat Enterprise Linux 5.5.  The same downloads and installation steps for a regular 64-bit EPM install are used on Exalytics with very few exceptions.  I will follow up on the status with my thoughts as the project progresses.