The use of Secure Sockets Layer (SSL) within an EPMS deployment is a fairly controversial topic. Generally SSL is not necessary from an EPMS implementation perspective. Yes, we’re dealing with corporate financial data, and therefore extremely sensitive material. However, we’re also talking about an Intranet Only application. SSL is used in conjunction with EPMS implementations approximately 20% of the time. The fact that few EPMS clients utilize SSL should not preclude prospective clients from considering its use. However there are other things to consider when discussing security.

A common practice is to tie the Oracle EPM System into a corporate Single Sign-on System (SSO). When a user accesses a web application secured by SSO, a Security Token is generated for the user. This token contains the user’s credentials and is passed to other web applications that accept SSO tokens. The token eliminates the need for the user to enter their credentials each time they access a corporate web application. The added convenience comes with a significant risk. The security token is valid for a set amount of time, typically for 30 minutes to 1 hour. If a user were to walk away from their workstation leaving it unlocked, anyone could access the EPM System using the cached security token. This would bypass all security measures; SSL, EPMS Security, Firewalls, etc. Most corporations have a policy to lock workstations when they’re not in use. However, it’s common for that policy to be ignored at least by some users.

Before deciding to add additional complexity to an already complex system, clients should consider all potential risks and eliminate ‘low hanging fruit’. Once the decision has been made to move forward with SSL, the next step is to decide which method to use. There are three (3) common methods for implementing SSL with Oracle EPMS; SSL Offload, SSL at the Web Layer, and Full SSL. The first two (2) options are straight forward from an implementation and support perspective. The last option adds significant effort to both implementation and support. These options, along with their pros and cons will be discussed in a future Blog.
--Author, Damon Hannah

This alert from Oracle addresses a specific type of Denial of Service attack to WebLogic only.  No data is at risk and the alert specifically notes that malicious users won’t be able to access the environment.  However, during the attack (like any Denial of Service attack), normal users will be unable to access the environment as well.
 
A set of WebLogic patches have been released to addressed the issue.  However, since the overall risk is very low to the average Hyperion users, application of this patch is does not need to be a high priority unless the WebLogic server is publicly accessible (not firewalled).  WebLogic patch ID is 13583186 and has only been publically available for one week.

--Author, Tony Moyers

In an EPM Planning environment, there must only be one Essbase Administration Services (EAS) Server in any given environment.  One of the most common mistakes when it comes to implementing an EPM planning environment involves EAS and not Planning.  Many architects try to load balance EAS, or install more than one for fault tolerance, or just for convenience and install EAS wherever they install Essbase.  In fact, if you read the latest documentation in 11.1.2, the High Availability and Disaster Recovery guide says you can use Weblogic Clustering for high availability.  Years of practical field experience and support cases say otherwise.  

The problem is one of functionality. Specifically the functionality in Business Rules (HBR) and its relationship with Hyperion Planning.  In almost every Hyperion Planning environment, Business Rules are in use.  Calc Manager has simply not gained enough momentum yet.  The functional problem that requires only one EAS server is around how Planning and HBR communicate.  In business rules a rule is assigned to a "Location".  These are usually in the format > PlanningServer/PlanningApplication/Cube.  They are seeded into HBR as applications become "active", and can then be assigned.

If you have installed or administered Hyperion Planning, you know there are two Planning services, or components, that have to be running. The first is the Planning Web Application itself.  The other, the Hyperion RMI Registry.  Planning notifies HBR that a location is available or "active" when someone logs into a planning application for the first time by sending a message through the RMI registry service to the HBR server.  It knows where the HBR server is because it's stored as a property in the HBRServer.properties file found either on the file system (pre 11.x) or in the EPM System Registry.

When there are more than one EAS servers it will only notify the EAS server registered in the HBRServer.properties file. The properties file stores only one server name. The result is business rule development on any EAS server but the registered EAS server lacks the functionality to assign planning locations to business rules. Even if the EAS servers share a repository, the second server might be able to see the locations, because it shares the same schema, but the locations can fail to connect because the RMI connectivity fails.

If you are not using HBR you may be able to install multiple EAS servers in an environment.  But consider EAS as an administrative tool, and not an end user tool.  It does not support any functionality that requires high availability.  If you want to install the admin client on every Essbase server that makes sense, but there should not be a need for more than one EAS server. If you are using HBR a single EAS server is a must, so why architect yourself into a situation that can limit functionality should your client decide to use HBR down the road.

Author: Mike Turner