Wednesday, June 20, 2018

SSL TLS 1.2, OHS, and... Calculation Manager???

With more and more folks migrating Oracle EPM / Hyperion from on-premises data centers to 3rd-party hosted environments, the topics of Secure Socket Layer ("SSL") and support for TLS 1.2 are becoming much more common conversations.

The devil, of course, is in the details.

As a matter of policy, many 3rd-party hosting companies and/or IT departments are disabling SSL protocols 2.0, 3.0, TLS 1.0, and TLS 1.1 by default.  Security vulnerabilities for those older protocols are to blame.  This leaves us with TLS 1.2 as the preferred option for SSL.

The problem, though, is EPM uses Oracle HTTP Server ("OHS") under the covers, and guess what?  OHS cannot support any TLS protocol higher than version TLS 1.0.

But wait!  Isn't EPM certified by Oracle to use Microsoft IIS 8.5 as the web proxy, which supports TLS 1.2?  Yes, indeed it is.  But, the SSL configuration documentation for EPM is OHS-centric;  the IIS-related matters are incomplete and several important configuration details are missing in various blogs and Knowledge Base articles.  (Case in point: manual edits required for iisproxy.ini are completely missing in the EPM-centric documentation currently available as of this writing).

This brings us to the Oracle Knowledge Base article named "How To Update OHS In EPM System To (Doc ID 2406726.1)"

This article provides steps on how to perform an in-place upgrade from OHS to for EPM  Oracle certifies that OHS supports the TLS 1.2. SSL protocol.  The procedure to upgrade OHS is easy to follow.

But, there's a catch, and this is the point of today's blog post.

OHS and Hyperion Calculation Manager do not play well together!  After applying the OHS in-place upgrade, attempting to login to Calculation Manager results in a blank tab in EPM Workspace.  There are no blog posts or Knowledge Base articles on how to fix this.... until now!

The fix is buried within the release notes for the EPM Shared Services patch

Open a command prompt and CD to your Oracle EPM Instance home's \bin folder on any of your Hyperion servers.  The default location for this is D:\Oracle\Middleware\user_projects\epmsystem1\bin for most Microsoft-based systems.   UNIX nerds like me; you know the drill!  (Swap the direction of the slashes)

Paste this command:

epmsys_registry addProperty /CALC_MANAGER_PRODUCT/@BINDOWS_ENABLED true  

Then restart your Calculation Manager service, and you're good to go.

What you've just done is you went back in time to the days and instructed Calculation Manager that it should not use the Application Development Framework ("ADF") interface, which apparently OHS has an issue with.

Hopefully, Oracle will use a future patch to remediate this.  But for now, carry on and be safe out there!

Monday, May 21, 2018

Hyperion / Oracle EPM Release Observations

Oracle last recompiled EPM on April 18, 2018, and branded the new release as EPM  This updated release is the only version available for download on Oracle eDelivery, and it was published without fanfare or a press release in last April or early May.

I took for a spin over the weekend, and here are my initial findings.

First, let's get this out of the way:

This hearkens back to the release, when there was no migration path.  The vast majority of Oracle customers who wanted to upgrade from 9.x or 11.1.1.x wisely choose to wait until was released, and I'm going to recommend that be avoided for anyone who utilizes Hyperion Financial Reporting.

Let's review the pros and cons.


  • The Reporting Analysis Framework “RM1” data folder no longer exists.  All Financial Reporting design/metadata now exclusively resides within the relational database, eliminating the requirement for a shared data folder when Financial Reporting is clustered.
  • The Reporting Analysis Framework Agent and Web Tier modules no longer exist.  This simplifies the footprint of the Financial Reporting stack.
  • We no longer need to remember to disable the unused Impact Management menu in Workspace.
  • The diagnostics/logs/ReportingAnalysis folder no longer exists, reducing log clutter and eliminating a troubleshooting point. 
  • The loganalysis report is no longer be flooded with “INCOMING CONNECTION ABORTED” from the GSM log, as GSM and its log no longer exist.
  • There is no longer a lengthy timeout delay when logging into EPM Workspace if the Reporting stack is offline.
  • The File->Import user interface in Explorer responds noticeably faster than prior releases.
  • As promised in previous Statement of Direction publications on Oracle’s website, both Hyperion WebAnalysis and Interactive Reporting are no longer available.  This is considered a “Pro” for installation consultants, but may be considered a “Con” for any Oracle customer who has not yet migrated their application content out of those old technologies.

  • The command-line utilities to manage POVs and launch scheduled jobs are missing.  Oracle has noted this as a Known Issue, and has indicated the missing utilities will be re-introduced at some later date.  For some of our end-users, the inability to launch scheduled jobs for Financial Reporting from an external scheduling tool is a deal-breaker.
  • The ability to export multiple folders from Explorer has been removed; folders may only be exported one at a time.
  • There is no clear migration path from any prior release to  While Financial Reporting is exposed to LCM, the LCM folder structure is different between and all prior releases.  In the readme, Oracle states “You cannot upgrade to this release from a previous release. If you are using release, install a new environment and create new applications.”
  • The initial pop-up error we used to receive when the Reporting Analysis Framework Agent and Web Tier weren’t started in the proper error has been replaced with a different error.  We have a brand new error message for end-users to hound us about.

  • The readme states ADF patch # 24113405. is required.  This patch does not exist, and the installation consultant needs to perform a search for the correct ADF patch.
  • The readme states WebLogic patch 20780171_1036_Generic (“EJUW”)  is required.  This patch is 2 years old and has been superseded multiple times by newer patches.  The installation consultant needs to perform a search for the correct WebLogic patch.
  • Java, JRockit, WebLogic and Oracle HTTP Server (OHS) are missing the critical security updates previously announced by Oracle for Spectre, Meltdown, Apache Struts, and other vulnerabilities.  The underlying middleware in is the same as
  • The security roles for Financial Reporting are completely different in versus all prior releases; security cannot be migrated from a prior release without manipulating the LCM artifacts via a custom script.  Such a migration would be unlikely to be supported by Oracle. 
 The "Reporting Analysis Framework" node is completely missing.  Security provisioning for Financial Reporting is now tucked underneath "Default Application Group".  The "Explorer" role is removed.

I do like the fact that the number of roles has been significantly reduced, so eventually my position on this will change from "Con" to "Pro", but only after Oracle rolls out a future patch or release that provides a migration path from and prior.

  • The Tools->Install menu for the Financial Reporting Studio thick client has been removed.  End-users are “encouraged” to use the Web Studio instead.  The thick client still exists behind the scenes and may be found here:  Oracle/Middleware/EPMSystem11R1/products/financialreporting/install/bin/FinancialReportingStudio.exe
  • Google Chrome has been decertified by Oracle for and is no longer supported.
  • The “Open In Studio Preview option” option has been removed in Workspace.
  • The proxy settings for Financial Reporting Web Studio are missing, and must be manually added to the web server’s configuration.
  • The sample reports created in and prior versions when deploying the sample “Vision” Planning application do not get created in this new release.
  • Migrating reports from into, via File->Import in Workspace, appears to work, but the reports do not render properly.  Certain members within the reports are instead displayed as the text “UNDEFINED EDGE CELL”.  This must be why the states "create new applications" - I suspect they really mean "create new reports from scratch".  This would be a deal-breaker for many of my clients.
  • For reports with a run-time point of view, the “Preview Point of View” screen is buggy and does not render the hierarchy in question.  The first generation beneath the dimension root is rendered as blank spaces.
For now, I advocate that anyone wishing to upgrade to from a prior release open an SR with Oracle, requesting the pre- version of the eDelivery download media.  The exception to this would be a pure Essbase-only play, where Financial Reporting isn't in scope.