Here is the underlying problem:
Once your DBA has configured the back-end relational database to only accept SSL client connections, it is impossible to create (or use) a data source within Hyperion Planning's data source administration screen. This is because, unlike the EPM System Configurator, there is no checkbox for enabling SSL, and no input boxes to specify your Java keystore and password. This means we have to click the checkbox for a custom JDBC URL, and we must figure out the syntax ourselves.
After reaching multiple dead-ends, I stumbled upon the solution. Because I had already gone through the steps of configuring SSL for the various databases, and I deployed the applications to WebLogic, the JDBC URL syntax we need to emulate has already been provided!
On any of your EPM servers where you've deployed to WebLogic, navigate to this folder:
Let's walk through a specific example. Suppose we have already created our Java keystore with a default password of "changeme", as per Oracle's documentation within epm_security.pdf, and we've saved it as:
Furthermore, let's say we're using Microsoft SQL Server as our database (2008 or 2012, but you want to be using 2012 by now), and we have empty database named "Vision" for our new Planning data source.
In this scenario, here's the custom JDBC URL we'd copy & paste into the data source creation screen. Bear in mind, the text you see below is all one line. I've added linebreaks for ease of reading:
jdbc:weblogic:sqlserver://SQLSERVERHOSTNAME:1433; databaseName=Vision; ENCRYPTIONMETHOD=SSL; TRUSTSTORE=E:\Oracle\Middleware\ssl\myIdentity.jks; TRUSTSTOREPASSWORD=changeme; VALIDATESERVERCERTIFICATE="true"; loadLibraryPath=E:\Oracle\Middleware\wlserver_10.3\server\lib
Personally, I find configuring EPM for full end-to-end SSL extremely time consuming and tedious. My preference is to put an SSL offloader in front of Oracle HTTP Server, but some IT organizations are becoming increasingly concerned about hardening their data's security as it passes through their internal network.
Post a Comment
Thank you very much for your interest in this blog! I hope you're finding it helpful.
Please keep comments relevant to the topic in the post, as this blog is not a free-for-all substitute for Oracle Support or traditional consulting. If you have many questions unrelated to the specific topic at hand, consider contacting me on LinkedIn (https://www.linkedin.com/in/daveshay) so we may discuss the possibility of consulting.
Commenting on posts older than 90 days unfortunately goes into moderation, thanks to spammers who've been hitting this blog. Please have patience, and thanks for your understanding!
Comments including URLs linking back to gambling or other things unrelated to Oracle EPM will be deleted on sight. If you're an EPM consultant and are offering me constructive criticism or a tip, go ahead and DO link back to your blog or firm's website if you so desire.
Thanks again for reading!