Wednesday, June 20, 2018

SSL TLS 1.2, OHS 11.1.1.9, and... Calculation Manager???

With more and more folks migrating Oracle EPM 11.1.2.4 / Hyperion from on-premises data centers to 3rd-party hosted environments, the topics of Secure Socket Layer ("SSL") and support for TLS 1.2 are becoming much more common conversations.

The devil, of course, is in the details.

As a matter of policy, many 3rd-party hosting companies and/or IT departments are disabling SSL protocols 2.0, 3.0, TLS 1.0, and TLS 1.1 by default.  Security vulnerabilities for those older protocols are to blame.  This leaves us with TLS 1.2 as the preferred option for SSL.

The problem, though, is EPM 11.1.2.4 uses Oracle HTTP Server ("OHS") 11.1.1.7 under the covers, and guess what?  OHS 11.1.1.7 cannot support any TLS protocol higher than version TLS 1.0.

But wait!  Isn't EPM 11.1.2.4 certified by Oracle to use Microsoft IIS 8.5 as the web proxy, which supports TLS 1.2?  Yes, indeed it is.  But, the SSL configuration documentation for EPM 11.1.2.4 is OHS-centric;  the IIS-related matters are incomplete and several important configuration details are missing in various blogs and Knowledge Base articles.  (Case in point: manual edits required for iisproxy.ini are completely missing in the EPM-centric documentation currently available as of this writing).

This brings us to the Oracle Knowledge Base article named "How To Update OHS 11.1.1.7 In EPM System To 11.1.1.9 (Doc ID 2406726.1)"

July 4, 2018 update:  The Knowledge Base article mentioned above is no longer available to Oracle customers; the KB is now flagged as Oracle internal-only.  I'll write a new blog post that explains why I believe this is so, and what you can do if you've already upgraded from OHS 11.1.1.7 to 11.1.1.9, and one or more EPM modules are now non-functional.

This article provides steps on how to perform an in-place upgrade from OHS 11.1.1.7 to 11.1.1.9 for EPM 11.1.2.4.  Oracle certifies that OHS 11.1.1.9 supports the TLS 1.2. SSL protocol.  The procedure to upgrade OHS is easy to follow.

But, there's a catch, and this is the point of today's blog post.

OHS 11.1.1.9 and Hyperion Calculation Manager 11.1.2.4 do not play well together!  After applying the OHS 11.1.1.9 in-place upgrade, attempting to login to Calculation Manager 11.1.2.4 results in a blank tab in EPM Workspace.  There are no blog posts or Knowledge Base articles on how to fix this.... until now!

The fix is buried within the release notes for the EPM Shared Services patch 11.1.2.3.500.

July 4, 2018 update:  The information below is obsolete.  I'm keeping it online for historical reference purposes.  Simply apply Calculation Manager patch 11.1.2.4.013 or higher.  This fixes the regression bug, and you don't need to execute the instructions listed below.

Open a command prompt and CD to your Oracle EPM Instance home's \bin folder on any of your Hyperion servers.  The default location for this is D:\Oracle\Middleware\user_projects\epmsystem1\bin for most Microsoft-based systems.   UNIX nerds like me; you know the drill!  (Swap the direction of the slashes)

Paste this command:

epmsys_registry addProperty /CALC_MANAGER_PRODUCT/@BINDOWS_ENABLED true  

Then restart your Calculation Manager service, and you're good to go.

What you've just done is you went back in time to the 11.1.2.3.0 days and instructed Calculation Manager that it should not use the 11.1.2.3.500+ Application Development Framework ("ADF") interface, which apparently OHS 11.1.1.9 has an issue with.

Hopefully, Oracle will use a future patch to remediate this.  But for now, carry on and be safe out there!

3 comments:

  1. Hey Dave, Hope you are doing good.

    Currently am upgrading to EPM latest version 11.2.5 however I need to implement SSL terminating at OHS. In installation and configuration guide I see it is mentioned to refer Security configuration guide but when I checked security guide it says check in installation and configuration guide. It's a puzzle where Oracle has provided complete steps to configuration SSL till OHS. It could be great if you can let me know where to find or how to implement it.

    Thanks in advance.
    VK

    ReplyDelete
    Replies
    1. Hi Vikram, finding the precise location is quite a puzzle indeed. The answer is found in the Oracle Fusion Middleware 12.2.1.4 SSL guide, which I've linked here for convenience.
      https://docs.oracle.com/en/middleware/fusion-middleware/12.2.1.4/asadm/configuring-ssl1.html#GUID-DFE1BBED-EF11-47FA-9EF6-782DB2FE3C1A

      Delete

Thank you very much for your interest in this blog! I hope you're finding it helpful.

Please keep comments relevant to the topic in the post, as this blog is not a free-for-all substitute for Oracle Support or traditional consulting. If you have many questions unrelated to the specific topic at hand, consider contacting me on LinkedIn (https://www.linkedin.com/in/daveshay) so we may discuss the possibility of consulting.

Commenting on posts older than 90 days unfortunately goes into moderation, thanks to spammers who've been hitting this blog. Please have patience, and thanks for your understanding!

Comments including URLs linking back to gambling or other things unrelated to Oracle EPM will be deleted on sight. If you're an EPM consultant and are offering me constructive criticism or a tip, go ahead and DO link back to your blog or firm's website if you so desire.

Thanks again for reading!