Saturday, August 4, 2018

Updates made to 2 prior posts

Two of the scripts provided in Upgrading to Java 7 for EPM 11.1.2.4 - It doesn't need to be difficult! have been updated.  If you saved a copy of the scripts from the original post, please grab updated copies of SwapJava.bat and sed.ps1 from the updated post.

Additional information has been added to SSL TLS 1.2, OHS 11.1.1.9, and... Calculation Manager??? because:
  1. Oracle redacted the Knowledge Base article I referred to; it still exists, but is flagged as Oracle internal-only now.
  2. A Calculation Manager patch (11.1.2.4.013) has been issued that solves the problem described in my post linked above.
Look for a new post soon that provides more information about upgrading to OHS 11.1.1.9 for SSL protocol TLS 1.2 support.  The 30-second soundbyte is OHS 11.1.1.9 breaks Hyperion Planning web forms, unless you either open them in the Simplified Interface (not possible for Workforce Planning), or via SmartView.  There's a fix for this, which I'll cover in my upcoming post.

Wednesday, July 4, 2018

Upgrading to Java 7 for EPM 11.1.2.4 - It doesn't need to be difficult!

First, some background information to put this post into proper context.

All Oracle EPM / Hyperion systems in the 11.1.2.x on-premises series of releases have Java SE 6 and JRockit 6 bundled with the software.  Oracle KB article # 2244851.1 states that both Java SE 6 and JRockit 6 will be coming out of Extended Support in December 2018; no new security patches will be issued for Java 6 & JRockit 6 beyond that date.  (Disclaimer: I'm not an Oracle employee and do not speak on behalf of Oracle Corporation)

In mid-June 2018, Oracle published KB article # 2351499.1.  This article contains two crucial pieces of information:
1. That EPM 11.1.2.4 is certified for Java SE 7, which replaces both Java SE 6 and JRockit 6.
2. A detailed technical procedure on how to manually update the system configuration accordingly.

When I first read through the article, the steps made sense... but what a tedious, manual process!  I was dreading having to do it for multiple customer systems, inevitably committing human error along the way, and then spending extra time figuring out what went wrong.

What we need here is automation to streamline the process, so let's get to it!  The process I'm about to describe was written for Windows-based systems, but could easily be adapted to a UNIX shell script as well.

  • SwapJava.bat - This is our main wrapper script that guides us through the process.
  • RecursiveReplace.ps1 - This Powershell script is used behind the scenes to recursively descend through a folder structure and replace any arbitrary text specified.  There are tools such as UltraEdit that do this, but I wanted to script the whole thing.
  • sed.ps1 - This Powershell script is very similar to RecursiveReplace.ps1, except here we are editing a single file at a time.
  • ScriptEnv.bat - This defines environment variables that I leverage across my entire suite of scripts; SwapJava.bat only needs a handful of them.
We double-click SwapJava.bat and it does the heavy lifting. The things you have to do yourself are:
  • Download and install Java into the location suggested by the messages you see from SwapJava.bat.
  • Export the Hyperion Solutions section from the Windows Registry.
  • Import the Hyperion Solutions .reg file once SwapJava.bat finishes manipulating it.
  • Inspect essbase.cfg, to see if anybody customized the jvm setting.
  • Import your Root and Intermediate certificates into JDK 7's cacerts file, if you had previously configure the system for SSL.
Want to see the code?  Read on!

August 4, 2018 update - if you downloaded my scripts previously, please re-download SwapJava.bat and sed.ps1, and both have been modified since the original post.

SwapJava.bat

@ECHO off
REM SwapJava.bat
REM
REM This script provides a guided process on replacing Oracle EPM's JDK 1.6 and JRockit 6
REM with Java 7.  Oracle has certified only EPM 11.1.2.4 to use Java 7 behind the scenes.
REM All older versons of EPM will need to remain on JDK 1.6 and JRockit 6 until the EPM
REM system is upgraded to EPM 11.1.2.4.0 or higher.
REM
REM This script must be executed on each EPM server.
REM
REM Other required scripts:
REM ScriptEnv.bat, sed.ps1 and RecursiveReplace.ps1
REM
REM This script is based upon instructions provide by Oracle on how to manually replace Java:
REM "How to Configure an Existing EPM 11.1.2.4 With Java 7" (Doc ID 2351499.1)
REM
REM  Written 07/04/2018 by Dave Shay (Datavail)

REM Modified 07/30/2018 by Dave Shay - Additional edit-replace operations in hyperion.reg.
REM Modified MM/DD/YYYY by Your Name - Briefly list changes made

CALL D:\Scripts\ScriptEnv.bat

ECHO --------------------------------------------------
ECHO This is a guided process to replace JDK SE 1.6 and JRockit 6 with JDK SE 7.
ECHO This process is only certified for EPM 11.1.2.4.0 and higher.
ECHO
ECHO Please shut down all EPM services, including the WebLogic Admin Server now.
PAUSE

ECHO Please install 64-bit JDK SE 1.7 (JDK7u181 or higher) now.
ECHO Override the suggested installation directory to:
ECHO %HYPDRIVE%\Oracle\Middleware\jdk7
ECHO You may click Cancel when prompted to install the public JRE.
ECHO Once installed, you can zip up the jdk7 folder and copy it to the other servers.
PAUSE

ECHO Now launch REGEDIT and export HKEY_LOCAL_MACHINE\SOFTWARE\Hyperion Solutions
ECHO and save the file as:
ECHO %SCRIPTDIR%\hyperion.reg

ECHO If this server runs Essbase only, the registry might not
ECHO contain a Hyperion Solutions hierarchy.
PAUSE

ECHO We're going to attempt to run an unsigned Windows PowerShell script now.
ECHO If you an error message in red, get assistance from your IT department
ECHO to temporarily alter the security policy on the EPM servers.
powershell.exe Set-ExecutionPolicy Unrestricted

ECHO If you got the error, please fix it now before proceding further.
PAUSE

ECHO Applying fixes to your exported hyperion.reg file....
COPY %SCRIPTDIR%\hyperion.reg %SCRIPTDIR%\hyperion.java6backup
powershell.exe %SCRIPTDIR%\sed.ps1 -file %SCRIPTDIR%\hyperion.reg -old jrockit_160_37\\jre\\bin\\jrockit\\jvm.dll -new jdk7\\jre\\bin\\server\\jvm.dll
powershell.exe %SCRIPTDIR%\sed.ps1 -file %SCRIPTDIR%\hyperion.reg -old JROCKI~2\\lib\\tools.jar -new jdk7\\lib\\tools.jar
powershell.exe %SCRIPTDIR%\sed.ps1 -file %SCRIPTDIR%\hyperion.reg -old jrockit_160_37 -new jdk7
powershell.exe %SCRIPTDIR%\sed.ps1 -file %SCRIPTDIR%\hyperion.reg -old jdk160_35 -new jdk7


ECHO Now please double-click %SCRIPTDIR%\hyperion.reg, and click Yes when prompted.
PAUSE

ECHO Backing up and editing setJavaRuntime.bat....
COPY %EPM_MW_HOME%\common\config\11.1.2.0\setJavaRuntime.bat setJavaRuntime.java6
powershell.exe %SCRIPTDIR%\sed.ps1 -file %EPM_MW_HOME%\common\config\11.1.2.0\setJavaRuntime.bat -old jdk160_35 -new jdk7

ECHO Backing up and editing setDomainEnv.cmd....
ECHO This file might not exist on an Essbase server, and that's OK.
SET DOMAINHOME=%HYPDRIVE%\Oracle\Middleware\user_projects\domains\EPMSystem
COPY %DOMAINHOME%\bin\setDomainEnv.cmd setDomainEnv.java6
powershell.exe %SCRIPTDIR%\sed.ps1 -file %DOMAINHOME%\bin\setDomainEnv.cmd -old jrockit_160_37 -new jdk7

ECHO Backing up and editing deploymentScripts....
ECHO The edit we're doing here assumes FlightRecorder is turned off.
ECHO If someone previously enabled FlightRecorder for monitoring purposes,
ECHO this edit/replace operation might not work propertly, and you may
ECHO need to manually add to your JAVA_OPTIONS:
ECHO -XX:-UnlockCommercialFeatures
SET DEPDIR=%EPM_INSTANCE_HOME%\bin\deploymentScripts
MKDIR %DEPDIR%\Backup
COPY %DEPDIR%\*.bat %DEPDIR%\Backup\
powershell.exe %SCRIPTDIR%\RecursiveReplace.ps1 -editDir %DEPDIR% -old '-XX:-FlightRecorder' -new '-XX:-UnlockCommercialFeatures -XX:-FlightRecorder'
PAUSE

ECHO Don't worry if the next step produces an error message.
ECHO Here, we are backing up and editing a file that only exists on an Essbase server.
COPY %EPM_INSTANCE_HOME%\config\OPMN\opmn\opmn.xml %EPM_INSTANCE_HOME%\config\OPMN\opmn\opmn-java6
powershell.exe %SCRIPTDIR%\sed.ps1 -file %EPM_INSTANCE_HOME%\config\OPMN\opmn\opmn.xml -old jdk160_35 -new jdk7
PAUSE

ECHO If this an an Essbase server, please now inspect the essbase.cfg file, usually located here:
ECHO %EPM_INSTANCE_HOME%\EssbaseServer\essbaseserver1\bin\essbase.cfg
ECHO If the line containing the text "JvmModuleLocation" does not begin with a semicolon ";"
ECHO then you will need to manually change it to
ECHO %EPM_MW_HOME%\jdk7\jre\bin\server\jvm.dll
PAUSE

ECHO Don't worry if the next step produces an error message.
ECHO This step applicable on the EPMA Server host only.
COPY %EPM_INSTANCE_HOME%\config\EPMA\BPMA_Server_Config.xml %EPM_INSTANCE_HOME%\config\EPMA\BPMA_Server_Config.java6
powershell.exe %SCRIPTDIR%\sed.ps1 -file %EPM_INSTANCE_HOME%\config\EPMA\BPMA_Server_Config.xml -old jdk160_35 -new jdk7
PAUSE

ECHO Don't worry if the next step produces an error message.
ECHO This step applicable if the EAS Console was installed.
COPY %EPM_MW_HOME%\products\Essbase\eas\console\bin\admincon.bat %EPM_MW_HOME%\products\Essbase\eas\console\bin\admincon.java6
powershell.exe %SCRIPTDIR%\sed.ps1 -file %EPM_MW_HOME%\products\Essbase\eas\console\bin\admincon.bat -old jdk160_35 -new jdk7
PAUSE

ECHO And now likewise for the Financial Reporting Studio thick client....
COPY %EPM_MW_HOME%\products\financialreporting\bin\setJavaRuntime.cmd %EPM_MW_HOME%\products\financialreporting\bin\setJavaRuntime.java6
powershell.exe %SCRIPTDIR%\sed.ps1 -file %EPM_MW_HOME%\products\financialreporting\bin\setJavaRuntime.cmd -old jdk160_35 -new jdk7
PAUSE

ECHO --------------------------------------------------
ECHO Final step!  If your system was previously configured for SSL,
ECHO the Root and Intermediate certificates need to be imported into:
ECHO %HYPDRIVE%\Oracle\Middleware\jdk7\jre\lib\security\cacerts
ECHO Restart services and start testing!
ECHO --------------------------------------------------
PAUSE


RecursiveReplace.ps1

# RecursiveReplace.ps1
#
# This Powershell script recursively replaces all references of text within
# a directory hierarchy.  If the specified directory contains subdirectories,
# it will recursively descend into all subdirectories and repeat the process.
#
# Syntax:  powershell D:\Scripts\RecursiveReplace.ps1 -editDir <directory name> -old '<old text>' -new '<new text>'
# Example: powershell D:\Scripts\RecursiveReplace.ps1 -editDir D:\import_export\ExportSharedServices -old EssbaseCluster-1 -new 'Prod Essbase'
#
# If the values supplied to either -old or -new must contain spaces,
# then those values should be enclosed with single quote (') characters.
#
# If you receive a security policy error about “unsigned” Powershell scripts when
# running this process, open a command prompt and type:
# powershell.exe Set-ExecutionPolicy Unrestricted
#
#  Written on 04/09/2015 by Dave Shay (Datavail)
# Modified on MM/DD/YYYY by Your Name - Briefly describe changes

param($editDir, $old, $new)

# $editFiles=Get-ChildItem $editDir * -Recurse
$editFiles=Get-ChildItem $editDir -Recurse | Where-Object{!($_.PSIsContainer)}

foreach ($file in $editFiles)
{
    if(Select-String $file.PSPath -pattern "$old")
    {
        Write-Host Found matching text within $file.FullName
       
        (Get-Content $file.PSPath) |
        Foreach-Object {$_ -replace "$old", "$new"} |
        Set-Content $file.PSPath
    }
}


sed.ps1

# sed.ps1
#
# This Powershell script replaces all references of text within
# a specified file.
#
# Syntax:  powershell D:\Scripts\sed.ps1 -file <path\to\file> -old '<old text>' -new '<new text>'
# Example: powershell D:\Scripts\sed.ps1 -file D:\Scriipts\Hyperion.reg -old jdk160_36 -new jdk7
#
# If the values supplied to either -old or -new must contain spaces,
# then those values should be enclosed with single quote (') characters.
#
# If you receive a security policy error about “unsigned” Powershell scripts when
# running this process, open a command prompt and type:
# powershell.exe Set-ExecutionPolicy Unrestricted
#
#  Written on 07/04/2018 by Dave Shay (Datavail)

# Modified on 07/30/2018 by Dave Shay - Added the SimpleMatch parameter and simplified
#    the text replacement command.
# Modified on MM/DD/YYYY by Your Name - Briefly describe changes

param($file, $old, $new)

if(Select-String -SimpleMatch -Path $file -pattern $old)
{
    Write-Host Found matching text within $file
  
    (Get-Content $file).replace($old, $new) | Set-Content $file
}


ScriptEnv.bat
(The file I use is larger... here I am just revealing the variables used by SwapJava.bat)

@echo off
REM ScriptEnv.bat
REM
REM This script is called by most of the other automation scripts and utilities
REM written by Datavail's EPM practice.  Modify the variable values below
REM as appropriate for your environment.
REM
REM  Written on 04/18/2015 by Dave Shay (Datavail)
REM Modified on MM/DD/YYYY by Your Name - Briefly list changes made

REM Modify the values below as appropriate for your environment, but
REM do not change the names of the variables.

Set EPM_INSTANCE_NAME=epmsystem1
Set HYPDRIVE=D:

Set EPM_INSTANCE_HOME=%HYPDRIVE%\Oracle\Middleware\user_projects\%EPM_INSTANCE_NAME%
Set EPM_MW_HOME=%HYPDRIVE%\Oracle\Middleware\EPMSystem11R1

Set SCRIPTDIR=%HYPDRIVE%\Scripts

Conclusion

With these scripts in hand, you can get through the process quickly, and with less human error.

If you're not comfortable doing this yourself, reach out to me on LinkedIn or contact a Datavail sales executive, and we can get a conversation started.

Best of luck out there!

Wednesday, June 20, 2018

SSL TLS 1.2, OHS 11.1.1.9, and... Calculation Manager???

With more and more folks migrating Oracle EPM 11.1.2.4 / Hyperion from on-premises data centers to 3rd-party hosted environments, the topics of Secure Socket Layer ("SSL") and support for TLS 1.2 are becoming much more common conversations.

The devil, of course, is in the details.

As a matter of policy, many 3rd-party hosting companies and/or IT departments are disabling SSL protocols 2.0, 3.0, TLS 1.0, and TLS 1.1 by default.  Security vulnerabilities for those older protocols are to blame.  This leaves us with TLS 1.2 as the preferred option for SSL.

The problem, though, is EPM 11.1.2.4 uses Oracle HTTP Server ("OHS") 11.1.1.7 under the covers, and guess what?  OHS 11.1.1.7 cannot support any TLS protocol higher than version TLS 1.0.

But wait!  Isn't EPM 11.1.2.4 certified by Oracle to use Microsoft IIS 8.5 as the web proxy, which supports TLS 1.2?  Yes, indeed it is.  But, the SSL configuration documentation for EPM 11.1.2.4 is OHS-centric;  the IIS-related matters are incomplete and several important configuration details are missing in various blogs and Knowledge Base articles.  (Case in point: manual edits required for iisproxy.ini are completely missing in the EPM-centric documentation currently available as of this writing).

This brings us to the Oracle Knowledge Base article named "How To Update OHS 11.1.1.7 In EPM System To 11.1.1.9 (Doc ID 2406726.1)"

July 4, 2018 update:  The Knowledge Base article mentioned above is no longer available to Oracle customers; the KB is now flagged as Oracle internal-only.  I'll write a new blog post that explains why I believe this is so, and what you can do if you've already upgraded from OHS 11.1.1.7 to 11.1.1.9, and one or more EPM modules are now non-functional.

This article provides steps on how to perform an in-place upgrade from OHS 11.1.1.7 to 11.1.1.9 for EPM 11.1.2.4.  Oracle certifies that OHS 11.1.1.9 supports the TLS 1.2. SSL protocol.  The procedure to upgrade OHS is easy to follow.

But, there's a catch, and this is the point of today's blog post.

OHS 11.1.1.9 and Hyperion Calculation Manager 11.1.2.4 do not play well together!  After applying the OHS 11.1.1.9 in-place upgrade, attempting to login to Calculation Manager 11.1.2.4 results in a blank tab in EPM Workspace.  There are no blog posts or Knowledge Base articles on how to fix this.... until now!

The fix is buried within the release notes for the EPM Shared Services patch 11.1.2.3.500.

July 4, 2018 update:  The information below is obsolete.  I'm keeping it online for historical reference purposes.  Simply apply Calculation Manager patch 11.1.2.4.013 or higher.  This fixes the regression bug, and you don't need to execute the instructions listed below.

Open a command prompt and CD to your Oracle EPM Instance home's \bin folder on any of your Hyperion servers.  The default location for this is D:\Oracle\Middleware\user_projects\epmsystem1\bin for most Microsoft-based systems.   UNIX nerds like me; you know the drill!  (Swap the direction of the slashes)

Paste this command:

epmsys_registry addProperty /CALC_MANAGER_PRODUCT/@BINDOWS_ENABLED true  

Then restart your Calculation Manager service, and you're good to go.

What you've just done is you went back in time to the 11.1.2.3.0 days and instructed Calculation Manager that it should not use the 11.1.2.3.500+ Application Development Framework ("ADF") interface, which apparently OHS 11.1.1.9 has an issue with.

Hopefully, Oracle will use a future patch to remediate this.  But for now, carry on and be safe out there!

Monday, May 21, 2018

Hyperion / Oracle EPM 11.1.2.4.900 Release Observations

Oracle last recompiled EPM 11.1.2.4 on April 18, 2018, and branded the new release as EPM 11.1.2.4.900.  This updated release is the only version available for download on Oracle eDelivery, and it was published without fanfare or a press release in late April 2018 or early May.

I took 11.1.2.4.900 for a spin over the weekend, and here are my initial findings.

First, let's get this out of the way:













This hearkens back to the 11.1.2.0 release, when there was no migration path.  The vast majority of Oracle customers who wanted to upgrade from 9.x or 11.1.1.x wisely choose to wait until 11.1.2.1 was released, and I'm going to recommend that 11.1.2.4.900 be avoided for anyone who utilizes Hyperion Financial Reporting.

Let's review the pros and cons.


Pros:


  • The Reporting Analysis Framework “RM1” data folder no longer exists.  All Financial Reporting design/metadata now exclusively resides within the relational database, eliminating the requirement for a shared data folder when Financial Reporting is clustered.
  • The Reporting Analysis Framework Agent and Web Tier modules no longer exist.  This simplifies the footprint of the Financial Reporting stack.
  • We no longer need to remember to disable the unused Impact Management menu in Workspace.
  • The diagnostics/logs/ReportingAnalysis folder no longer exists, reducing log clutter and eliminating a troubleshooting point. 
  • The loganalysis report is no longer be flooded with “INCOMING CONNECTION ABORTED” from the GSM log, as GSM and its log no longer exist.
  • There is no longer a lengthy timeout delay when logging into EPM Workspace if the Reporting stack is offline.
  • The File->Import user interface in Explorer responds noticeably faster than prior releases.
  • As promised in previous Statement of Direction publications on Oracle’s website, both Hyperion WebAnalysis and Interactive Reporting are no longer available.  This is considered a “Pro” for installation consultants, but may be considered a “Con” for any Oracle customer who has not yet migrated their application content out of those old technologies.
Cons:

  • The command-line utilities to manage POVs and launch scheduled jobs are missing.  Oracle has noted this as a Known Issue, and has indicated the missing utilities will be re-introduced at some later date.  For some of our end-users, the inability to launch scheduled jobs for Financial Reporting from an external scheduling tool is a deal-breaker.
  • The ability to export multiple folders from Explorer has been removed; folders may only be exported one at a time.
  • There is no clear migration path from any prior release to 11.1.2.4.900.  While Financial Reporting 11.1.2.4.900 is exposed to LCM, the LCM folder structure is different between 11.1.2.4.900 and all prior releases.  In the 11.1.2.4.900 readme, Oracle states “You cannot upgrade to this release from a previous release. If you are using release 11.1.2.4.xxx, install a new 11.1.2.4.900 environment and create new applications.”
  • The initial pop-up error we used to receive when the Reporting Analysis Framework Agent and Web Tier weren’t started in the proper error has been replaced with a different error.  We have a brand new error message for end-users to hound us about.






  • The 11.1.2.4.900 readme states ADF patch # 24113405. is required.  This patch does not exist, and the installation consultant needs to perform a search for the correct ADF patch.
  • The 11.1.2.4.900 readme states WebLogic patch 20780171_1036_Generic (“EJUW”)  is required.  This patch is 2 years old and has been superseded multiple times by newer patches.  The installation consultant needs to perform a search for the correct WebLogic patch.
  • Java, JRockit, WebLogic and Oracle HTTP Server (OHS) are missing the critical security updates previously announced by Oracle for Spectre, Meltdown, Apache Struts, and other vulnerabilities.  The underlying middleware in 11.1.2.4.900 is the same as 11.1.2.4.0.
  • The security roles for Financial Reporting are completely different in 11.1.2.4.900 versus all prior releases; security cannot be migrated from a prior release without manipulating the LCM artifacts via a custom script.  Such a migration would be unlikely to be supported by Oracle. 
 The "Reporting Analysis Framework" node is completely missing.  Security provisioning for Financial Reporting is now tucked underneath "Default Application Group".  The "Explorer" role is removed.

I do like the fact that the number of roles has been significantly reduced, so eventually my position on this will change from "Con" to "Pro", but only after Oracle rolls out a future patch or release that provides a migration path from 11.1.2.4.70x and prior.




  • The Tools->Install menu for the Financial Reporting Studio thick client has been removed.  End-users are “encouraged” to use the Web Studio instead.  The thick client still exists behind the scenes and may be found here:  Oracle/Middleware/EPMSystem11R1/products/financialreporting/install/bin/FinancialReportingStudio.exe
  • Google Chrome has been decertified by Oracle for 11.1.2.4.900 and is no longer supported.
  • The “Open In Studio Preview option” option has been removed in Workspace.
  • The proxy settings for Financial Reporting Web Studio are missing, and must be manually added to the web server’s configuration.
  • The sample reports created in 11.1.2.4.0 and prior versions when deploying the sample “Vision” Planning application do not get created in this new release.
  • Migrating reports from 11.1.2.4.70x into 11.1.2.4.900, via File->Import in Workspace, appears to work, but the reports do not render properly.  Certain members within the reports are instead displayed as the text “UNDEFINED EDGE CELL”.  This must be why the 11.1.2.4.900 README states "create new applications" - I suspect they really mean "create new reports from scratch".  This would be a deal-breaker for many of my clients.
  • For reports with a run-time point of view, the “Preview Point of View” screen is buggy and does not render the hierarchy in question.  The first generation beneath the dimension root is rendered as blank spaces.
For now, I advocate that anyone wishing to upgrade to 11.1.2.4 from a prior release open an SR with Oracle, requesting the pre-11.1.2.4.900 version of the eDelivery download media.  The exception to this would be a pure Essbase-only play, where Financial Reporting isn't in scope.