Wednesday, June 20, 2018

SSL TLS 1.2, OHS 11.1.1.9, and... Calculation Manager???

With more and more folks migrating Oracle EPM 11.1.2.4 / Hyperion from on-premises data centers to 3rd-party hosted environments, the topics of Secure Socket Layer ("SSL") and support for TLS 1.2 are becoming much more common conversations.

The devil, of course, is in the details.

As a matter of policy, many 3rd-party hosting companies and/or IT departments are disabling SSL protocols 2.0, 3.0, TLS 1.0, and TLS 1.1 by default.  Security vulnerabilities for those older protocols are to blame.  This leaves us with TLS 1.2 as the preferred option for SSL.

The problem, though, is EPM 11.1.2.4 uses Oracle HTTP Server ("OHS") 11.1.1.7 under the covers, and guess what?  OHS 11.1.1.7 cannot support any TLS protocol higher than version TLS 1.0.

But wait!  Isn't EPM 11.1.2.4 certified by Oracle to use Microsoft IIS 8.5 as the web proxy, which supports TLS 1.2?  Yes, indeed it is.  But, the SSL configuration documentation for EPM 11.1.2.4 is OHS-centric;  the IIS-related matters are incomplete and several important configuration details are missing in various blogs and Knowledge Base articles.  (Case in point: manual edits required for iisproxy.ini are completely missing in the EPM-centric documentation currently available as of this writing).

This brings us to the Oracle Knowledge Base article named "How To Update OHS 11.1.1.7 In EPM System To 11.1.1.9 (Doc ID 2406726.1)"

This article provides steps on how to perform an in-place upgrade from OHS 11.1.1.7 to 11.1.1.9 for EPM 11.1.2.4.  Oracle certifies that OHS 11.1.1.9 supports the TLS 1.2. SSL protocol.  The procedure to upgrade OHS is easy to follow.

But, there's a catch, and this is the point of today's blog post.

OHS 11.1.1.9 and Hyperion Calculation Manager 11.1.2.4 do not play well together!  After applying the OHS 11.1.1.9 in-place upgrade, attempting to login to Calculation Manager 11.1.2.4 results in a blank tab in EPM Workspace.  There are no blog posts or Knowledge Base articles on how to fix this.... until now!

The fix is buried within the release notes for the EPM Shared Services patch 11.1.2.3.500.

Open a command prompt and CD to your Oracle EPM Instance home's \bin folder on any of your Hyperion servers.  The default location for this is D:\Oracle\Middleware\user_projects\epmsystem1\bin for most Microsoft-based systems.   UNIX nerds like me; you know the drill!  (Swap the direction of the slashes)

Paste this command:

epmsys_registry addProperty /CALC_MANAGER_PRODUCT/@BINDOWS_ENABLED true  

Then restart your Calculation Manager service, and you're good to go.

What you've just done is you went back in time to the 11.1.2.3.0 days and instructed Calculation Manager that it should not use the 11.1.2.3.500+ Application Development Framework ("ADF") interface, which apparently OHS 11.1.1.9 has an issue with.

Hopefully, Oracle will use a future patch to remediate this.  But for now, carry on and be safe out there!

Monday, May 21, 2018

Hyperion / Oracle EPM 11.1.2.4.900 Release Observations

Oracle last recompiled EPM 11.1.2.4 on April 18, 2018, and branded the new release as EPM 11.1.2.4.900.  This updated release is the only version available for download on Oracle eDelivery, and it was published without fanfare or a press release in last April or early May.

I took 11.1.2.4.900 for a spin over the weekend, and here are my initial findings.

First, let's get this out of the way:













This hearkens back to the 11.1.2.0 release, when there was no migration path.  The vast majority of Oracle customers who wanted to upgrade from 9.x or 11.1.1.x wisely choose to wait until 11.1.2.1 was released, and I'm going to recommend that 11.1.2.4.900 be avoided for anyone who utilizes Hyperion Financial Reporting.

Let's review the pros and cons.


Pros:


  • The Reporting Analysis Framework “RM1” data folder no longer exists.  All Financial Reporting design/metadata now exclusively resides within the relational database, eliminating the requirement for a shared data folder when Financial Reporting is clustered.
  • The Reporting Analysis Framework Agent and Web Tier modules no longer exist.  This simplifies the footprint of the Financial Reporting stack.
  • We no longer need to remember to disable the unused Impact Management menu in Workspace.
  • The diagnostics/logs/ReportingAnalysis folder no longer exists, reducing log clutter and eliminating a troubleshooting point. 
  • The loganalysis report is no longer be flooded with “INCOMING CONNECTION ABORTED” from the GSM log, as GSM and its log no longer exist.
  • There is no longer a lengthy timeout delay when logging into EPM Workspace if the Reporting stack is offline.
  • The File->Import user interface in Explorer responds noticeably faster than prior releases.
  • As promised in previous Statement of Direction publications on Oracle’s website, both Hyperion WebAnalysis and Interactive Reporting are no longer available.  This is considered a “Pro” for installation consultants, but may be considered a “Con” for any Oracle customer who has not yet migrated their application content out of those old technologies.
Cons:

  • The command-line utilities to manage POVs and launch scheduled jobs are missing.  Oracle has noted this as a Known Issue, and has indicated the missing utilities will be re-introduced at some later date.  For some of our end-users, the inability to launch scheduled jobs for Financial Reporting from an external scheduling tool is a deal-breaker.
  • The ability to export multiple folders from Explorer has been removed; folders may only be exported one at a time.
  • There is no clear migration path from any prior release to 11.1.2.4.900.  While Financial Reporting 11.1.2.4.900 is exposed to LCM, the LCM folder structure is different between 11.1.2.4.900 and all prior releases.  In the 11.1.2.4.900 readme, Oracle states “You cannot upgrade to this release from a previous release. If you are using release 11.1.2.4.xxx, install a new 11.1.2.4.900 environment and create new applications.”
  • The initial pop-up error we used to receive when the Reporting Analysis Framework Agent and Web Tier weren’t started in the proper error has been replaced with a different error.  We have a brand new error message for end-users to hound us about.






  • The 11.1.2.4.900 readme states ADF patch # 24113405. is required.  This patch does not exist, and the installation consultant needs to perform a search for the correct ADF patch.
  • The 11.1.2.4.900 readme states WebLogic patch 20780171_1036_Generic (“EJUW”)  is required.  This patch is 2 years old and has been superseded multiple times by newer patches.  The installation consultant needs to perform a search for the correct WebLogic patch.
  • Java, JRockit, WebLogic and Oracle HTTP Server (OHS) are missing the critical security updates previously announced by Oracle for Spectre, Meltdown, Apache Struts, and other vulnerabilities.  The underlying middleware in 11.1.2.4.900 is the same as 11.1.2.4.0.
  • The security roles for Financial Reporting are completely different in 11.1.2.4.900 versus all prior releases; security cannot be migrated from a prior release without manipulating the LCM artifacts via a custom script.  Such a migration would be unlikely to be supported by Oracle. 
 The "Reporting Analysis Framework" node is completely missing.  Security provisioning for Financial Reporting is now tucked underneath "Default Application Group".  The "Explorer" role is removed.

I do like the fact that the number of roles has been significantly reduced, so eventually my position on this will change from "Con" to "Pro", but only after Oracle rolls out a future patch or release that provides a migration path from 11.1.2.4.70x and prior.




  • The Tools->Install menu for the Financial Reporting Studio thick client has been removed.  End-users are “encouraged” to use the Web Studio instead.  The thick client still exists behind the scenes and may be found here:  Oracle/Middleware/EPMSystem11R1/products/financialreporting/install/bin/FinancialReportingStudio.exe
  • Google Chrome has been decertified by Oracle for 11.1.2.4.900 and is no longer supported.
  • The “Open In Studio Preview option” option has been removed in Workspace.
  • The proxy settings for Financial Reporting Web Studio are missing, and must be manually added to the web server’s configuration.
  • The sample reports created in 11.1.2.4.0 and prior versions when deploying the sample “Vision” Planning application do not get created in this new release.
  • Migrating reports from 11.1.2.4.70x into 11.1.2.4.900, via File->Import in Workspace, appears to work, but the reports do not render properly.  Certain members within the reports are instead displayed as the text “UNDEFINED EDGE CELL”.  This must be why the 11.1.2.4.900 states "create new applications" - I suspect they really mean "create new reports from scratch".  This would be a deal-breaker for many of my clients.
  • For reports with a run-time point of view, the “Preview Point of View” screen is buggy and does not render the hierarchy in question.  The first generation beneath the dimension root is rendered as blank spaces.
For now, I advocate that anyone wishing to upgrade to 11.1.2.4 from a prior release open an SR with Oracle, requesting the pre-11.1.2.4.900 version of the eDelivery download media.  The exception to this would be a pure Essbase-only play, where Financial Reporting isn't in scope.