1 person found this helpful
In most cases it is fine but there is an issue with Java 7 and full SSL with Essbase, this is due to TLS 1.2 being the default with Java 7 and OPMN 126.96.36.199 only supports TLS 1.0
More information in the support document - Essbase: After Upgrade of Java Bundled with Enterprise Performance Management (EPM) from 188.8.131.52 to 184.108.40.206+ or Java 1.7 Update 101+, Analytic Provider Services (APS) is Unable to Connectto SSL Enabled Essbase. Error: Received fatal alert: close_notify (Doc ID 2470194.1)
1 person found this helpful
Good morning - a couple of questions - you said FULL SSL, What database are you running? Oracle DB or SQL Server DB? If SQL Server DB - there might be some issues undocumented bugs you might face so JDK 1.6.0_211 is the safest bet for now util those bugs are addressed.
If Oracle DB then next question is which procedure did you follow for the upgrade of Java? I presume this was an existing install? So did you follow this link?
Oracle Support Document 2351499.1 (How to Configure an Existing EPM 220.127.116.11 With Java 7) can be found at:
If so - did you ensure the OS links are properly setup?
One thing you should check is the JavaDLL for all Oracle EPM Services and ensure it's set properly. Should NOT be jrockit, it should be "server" in the dll path.
Let me know if this helps at all. If not there are a ton of other questions. Also ensure on that KB article you follow the extra steps regarding the Essbase, WebLogic config files, etc... The doc discusses the custom param startup files for each WebLogic managed Server - however if y're running on Windows (likely the case per your question above) then you need to apply those same updates to the various JVMOptions for each windows service as well.
If you copy and paste those cipher suites into your Essbase.cfg file directly off of the web page - be careful - the KB article has a couple of hidden carriage returns that will bite you for sure! rpc1
Thanks, I'll try this solution
The solution is for APS so you will need to test if the same parameters can be set for the CM/Planning web app, also if you use Studio there is a similar document
Essbase Studio Fails to Connect to Essbase Server Configured for SSL When Running Under Java 7 (Doc ID 2524647.1)
If you still have problems then it is worth logging it with Oracle as they support Java 7.
Unfortunatly it does not solve problem with SSL, therefore I'm going to rollback on previous version of java until solve this problem.
rpc1 - did you check out my steps? Any update/answers regarding DB type, KB article, etc? We've done this exact config multiple times so there's likely something else going on. Feel free to ping me if you'd like to explore it further.
Hello, iArchSolutions-Joe ! Thanks for you reply!
I have MS SQL Server 2012 Enterprise and Hyperion EPM installed on Windows 2012 Server.
I already configure server according 2351499.1 document using directory links, all Hyperion applications installed as windows services.
Hyperion works fine with JRockit, but has issues with Java 7.
And other services (Foundation, Planning, EAS, Issues) works with Java 7 without any issues, I'm sure that problem in ssl protocol.
According our security requirements, we can use only strong ciphers with TLSv1, I manually set this cipher in config files for every services.
What ciphers do use for TLSv1?
Sorry for the delay! So a few things for recent experiences. Microsoft SQL Server 2012 being SSL enabled has some issues with JDK1.7.0_... (BUG 28919040 - SSL HANDSHAKE NOT HAPPENING AFTER UPGRADING TO JDK 1.7) For a quick test if you can, try putting in JDK1.6.0_211 - it's a very recent version of JDK 1.6 and will pass most InfoSec scans. See if that changes anything or not.
As for ciphers/protocols - can you post your Essbase.cfg file section for the SSLCipherSuites section for us?
Here's a snippet of what is required for Essbase SSL support. JohnGoodwin mentioned the articles above and you can also find the list (just not very clearly) in the Security configuration guide for 18.104.22.168. When we were troubleshooting a recent client we started with the full list below, and then removed one at a time until we found the culprit, again, be careful of <cr> carriage returns hidden when copying and pasting.
Also we had to use the following entires for Essbase LCM accessibility via Shared Services or via LCM command line even after we got the cipher list working.
The fix was to add the line:
To the Utility.bat JAVA_OPTIONS section if running LCM from a command line.
You should also modify the APS WebLogic Managed Server and FoundationServices Managed Server registry windows registry settings and add a new JVMOption and update the corresponding JVMOptionCount to increase the number to the new required value:
This allows FoundationServices (LCM) and Provider Services (APS)_ connections to downgrade their cipher level to support deprecated protocols.
My ciphers from Essbase.cfg: SSLCIPHERSUITES SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA
opmn.xml:<ssl enabled="true" wallet-file="C:\Oracle\ssl" ssl-versions="TLSv1.0" ssl-ciphers="SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA"/>
All services have to use only TLSv1 because OHS supports only this protocol version
Try adding in ALL of the SSLciphers from the post above into your Essbase.cfg.
I understand a lot are deprecated and have security flaws - but start wide open then restrict them one at a. time to get all of the access you need. Also - how is your Widows OS itself configured? Are there cipher suite or TLS restrictions in place in Windows registry? That might also be a bottle knock. When we build these environments we start wide open then restrict title by little.
You should also ensure the Essbase configured wallet you created being used for Essbase is copied out to the Essbase default wallet locations:
On the APS/EAS server Add the parameter below to the
Also add/update the parameter to ALL WebLogic JVM's: -Dolap.server.ssl.supportedProtocols=TLSv1,TLSv1.1,TLSv1.2
You can get around that OHS limitation of TLSv1 by upgrading in-place your OHS install to 22.214.171.124. We pushed Oracle support and they will provide a procedure (besides the proxy model 126.96.36.199 -> 188.8.131.52).
Full SSL enablement isn't a quick easy task but you're on the right track. My suggestion is take one product at a time, make sure end to end SSL is working, then move to the next. Looks like you're fighting battles for Essbase Studio, Essbase, APS, Shared Services, EAS, etc... Take one, get ti working then move to the next. I do Essbase last when I build these.
Hey rpc1 - One more thing - as you're configuring Essbase for SSL enablement - make sure maxL works to connect securely ON the Essbase server itself first. if you get any errors connecting work those out. There's an older setting we had to enable for maxL to secure Essbase...
Add this on the Essbase server as a System variable:
Set API verification system variable in the Essbase server: