12 Replies Latest reply on May 31, 2019 11:24 AM by iArchSolutions-Joe

    Hyperion EPM 11.1.2.4 on JDK 1.7

    rpc1

      Hello!

      Does anybody use Hyperion EPM with Java 1.7.

      I configured EPM with Java 1.7  by this doc , face strange issues in Calculation Manager

      JAVA VERSION:  JDK 1.7.0_111 and 1.7.0_211

      Infrastructure: Full SSL, HA cluster for Hyperion services

      ISSUE:

      1) when I try to expand  Essbase - it shows me  error (JDK 1.7.0_111 and 1.7.0_211 )

      2)  when I try to expand - Planning  (only on JDK 1.7.0_211)

       

      Investigating and debuging shows me that problem in messaging service (decrypting ssl messages).

       

      When I change JDK to JRockit 1.6.0_37 -  everything works fine, but this version is stale and I don't want to use it.

        • 1. Re: Hyperion EPM 11.1.2.4 on JDK 1.7
          JohnGoodwin

          In most cases it is fine but there is an issue with Java 7 and full SSL with Essbase, this is due to TLS 1.2 being the default with Java 7 and OPMN 11.1.1.7 only supports TLS 1.0

          More information in the support document - Essbase: After Upgrade of Java Bundled with Enterprise Performance Management (EPM) from 1.6.0.35 to 1.6.0.121+ or Java 1.7 Update 101+, Analytic Provider Services (APS) is Unable to Connectto SSL Enabled Essbase. Error: Received fatal alert: close_notify (Doc ID 2470194.1)

           

          Cheers

           

          John

          1 person found this helpful
          • 2. Re: Hyperion EPM 11.1.2.4 on JDK 1.7
            iArchSolutions-Joe

            Good morning - a couple of questions - you said FULL SSL, What database are you running?  Oracle DB or SQL Server DB?  If SQL Server DB - there might be some issues undocumented bugs you might face so JDK 1.6.0_211 is the safest bet for now util those bugs are addressed.

             

            If Oracle DB then next question is which procedure did you follow for the upgrade of Java?  I presume this was an existing install?  So did you follow this link? 

             

            Oracle Support Document 2351499.1 (How to Configure an Existing EPM 11.1.2.4 With Java 7) can be found at:

             

            https://support.oracle.com/epmos/faces/DocumentDisplay?id=2351499.1

             

            If so - did you ensure the OS links are properly setup?

             

            One thing you should check is the JavaDLL for all Oracle EPM Services and ensure it's set properly.  Should NOT be jrockit, it should be "server" in the dll path.

             

            Let me know if this helps at all.  If not there are a ton of other questions.  Also ensure on that KB article you follow the extra steps regarding the Essbase, WebLogic config files, etc...  The doc discusses the custom param startup files for each WebLogic managed Server - however if y're running on Windows (likely the case per your question above) then you need to apply those same updates to the various JVMOptions for each windows service as well.

            1 person found this helpful
            • 3. Re: Hyperion EPM 11.1.2.4 on JDK 1.7
              iArchSolutions-Joe

              If you copy and paste those cipher suites into your Essbase.cfg file directly off of the web page - be careful - the KB article has a couple of hidden carriage returns that will bite you for sure! rpc1

              • 4. Re: Hyperion EPM 11.1.2.4 on JDK 1.7
                rpc1

                Thanks, I'll try this solution

                • 5. Re: Hyperion EPM 11.1.2.4 on JDK 1.7
                  JohnGoodwin

                  The solution is for APS so you will need to test if the same parameters can be set for the CM/Planning web app, also if you use Studio there is a similar document

                  Essbase Studio Fails to Connect to Essbase Server Configured for SSL When Running Under Java 7 (Doc ID 2524647.1)

                  If you still have problems then it is worth logging it with Oracle as they support Java 7.

                  • 6. Re: Hyperion EPM 11.1.2.4 on JDK 1.7
                    rpc1

                    Unfortunatly it does not solve problem with SSL, therefore I'm going to rollback on  previous version of java until solve this problem.

                    • 7. Re: Hyperion EPM 11.1.2.4 on JDK 1.7
                      iArchSolutions-Joe

                      rpc1 - did you check out my steps?  Any update/answers regarding DB type, KB article, etc?  We've done this exact config multiple times so there's likely something else going on.  Feel free to ping me if you'd like to explore it further.

                      • 8. Re: Hyperion EPM 11.1.2.4 on JDK 1.7
                        rpc1

                        Hello, iArchSolutions-Joe ! Thanks for you reply!

                        I have MS SQL Server 2012 Enterprise   and Hyperion EPM installed on Windows 2012 Server.

                        I already configure server according 2351499.1 document using directory links, all Hyperion applications installed as windows services.

                        Hyperion works fine with JRockit, but has issues with Java 7.

                        And other services  (Foundation, Planning, EAS, Issues) works with Java 7 without any issues, I'm sure that problem in ssl protocol.

                        According our security requirements, we can use only strong ciphers with TLSv1, I manually set this cipher in config files for every services.

                         

                        What ciphers do use for TLSv1?

                        • 9. Re: Hyperion EPM 11.1.2.4 on JDK 1.7
                          iArchSolutions-Joe

                          Sorry for the delay!  So a few things for recent experiences. Microsoft SQL Server 2012 being SSL enabled has some issues with JDK1.7.0_... (BUG 28919040 - SSL HANDSHAKE NOT HAPPENING AFTER UPGRADING TO JDK 1.7)  For a quick test if you can, try putting in JDK1.6.0_211 - it's a very recent version of JDK 1.6 and will pass most InfoSec scans.  See if that changes anything or not.

                           

                          As for ciphers/protocols - can you post your Essbase.cfg file section for the SSLCipherSuites section for us?

                           

                          Here's a snippet of what is required for Essbase SSL support.  JohnGoodwin mentioned the articles above and you can also find the list (just not very clearly) in the Security configuration guide for 11.1.2.4.  When we were troubleshooting a recent client we started with the full list below, and then removed one at a time until we found the culprit, again, be careful of <cr> carriage returns hidden when copying and pasting.

                           

                          SSLCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256,SSL_RSA_WITH_AES_256_CBC_SHA256,SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5

                           

                           

                          Also we had to use the following entires for Essbase LCM accessibility via Shared Services or via LCM command line even after we got the cipher list working.

                           

                          The fix was to add the line:

                           

                          -Dolap.server.ssl.supportedProtocols=TLSv1,TLSv1.1,TLSv1.2

                           

                          To the Utility.bat JAVA_OPTIONS section if running LCM from a command line.

                           

                          You should also modify the APS WebLogic Managed Server and FoundationServices Managed Server registry windows registry settings and add a new JVMOption and update the corresponding JVMOptionCount to increase the number to the new required value:

                           

                          -Dolap.server.ssl.supportedProtocols=TLSv1,TLSv1.1,TLSv1.2

                           

                          This allows FoundationServices (LCM) and Provider Services (APS)_ connections to downgrade their cipher level to support deprecated protocols.

                           

                          • 10. Re: Hyperion EPM 11.1.2.4 on JDK 1.7
                            rpc1

                            My ciphers  from Essbase.cfg: SSLCIPHERSUITES SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA

                            opmn.xml:<ssl enabled="true" wallet-file="C:\Oracle\ssl"  ssl-versions="TLSv1.0" ssl-ciphers="SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA"/>

                            Windows registry:

                            All services have to use only TLSv1 because OHS supports only this protocol version

                            • 11. Re: Hyperion EPM 11.1.2.4 on JDK 1.7
                              iArchSolutions-Joe

                              Try adding in ALL of the SSLciphers from the post above into your Essbase.cfg.

                               

                              SSLCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256,SSL_RSA_WITH_AES_256_CBC_SHA256,SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5

                               

                              I understand a lot are deprecated and have security flaws - but start wide open then restrict them one at a. time to get all of the access you need.  Also - how is your Widows OS itself configured?  Are there cipher suite or TLS restrictions in place in Windows registry?  That might also be a bottle knock.  When we build these environments we start wide open then restrict title by little.

                               

                              You should also ensure the Essbase configured wallet you created being used for Essbase is copied out to the Essbase default wallet locations:

                               

                              D:\Oracle\Middleware\EPMSystem11R1\common\EssbaseRTC\11.1.2.0\bin\wallet

                              D:\Oracle\Middleware\EPMSystem11R1\products\Essbase\EssbaseServer\bin

                              D:\Oracle\Middleware\EPMSystem11R1\products\Essbase\EssbaseClient\bin\wallet

                               

                              On the APS/EAS server Add the parameter below to the

                               

                              D:\Oracle\Middleware\EPMSystem11R1\common\EssbaseJavaAPI\11.1.2.0\bin\essbase.properties

                               

                              Also add/update the parameter to ALL WebLogic JVM's:  -Dolap.server.ssl.supportedProtocols=TLSv1,TLSv1.1,TLSv1.2

                               

                              olap.server.ssl.supportedProtocols=TLSv1,TLSv1.1,TLSv1.

                               

                              You can get around that OHS limitation of TLSv1 by upgrading in-place your OHS install to 11.1.1.9.  We pushed Oracle support and they will provide a procedure (besides the proxy model 11.1.1.9 -> 11.1.1.7).

                               

                              Full SSL enablement isn't a quick easy task but you're on the right track.  My suggestion is take one product at a time, make sure end to end SSL is working, then move to the next.  Looks like you're fighting battles for Essbase Studio, Essbase, APS, Shared Services, EAS, etc...  Take one, get ti working then move to the next.  I do Essbase last when I build these.

                              • 12. Re: Hyperion EPM 11.1.2.4 on JDK 1.7
                                iArchSolutions-Joe

                                Hey rpc1 - One more thing - as you're configuring Essbase for SSL enablement - make sure maxL works to connect securely ON the Essbase server itself first.  if you get any errors connecting work those out.  There's an older setting we had to enable for maxL to secure Essbase...

                                 

                                Add this on the Essbase server as a System variable:

                                 

                                Set API verification system variable in the  Essbase server:

                                 

                                API_DISABLE_PEER_VERIFICATION=1