Updating Default Settings

Subtopics

You customize the SSL settings for components that use C APIs (Essbase Server and clients) by specifying their value in essbase.cfg.

You customize Essbase Server SSL settings by specifying their value in essbase.cfg.

Updating Essbase SSL Settings

Edit essbase.cfg to customize Essbase SSL settings such as:

  • Setting to enable secure mode

  • Setting to enable clear mode

  • Preferred mode to communicate with clients (used by clients only)

  • Secure port

  • Cipher suites

  • Oracle Wallet path

  To update essbase.cfg:

  1. Using a text editor, open EPM_ORACLE_INSTANCE/EssbaseServer/essbaseserver1/bin/essbase.cfg.

  2. Enter settings as needed. See Table 14.

    Table 14. Essbase SSL Settings

    SettingDescription[1]
    EnableClearMode[2]Enables unencrypted communication between Essbase applications and Essbase Agent. If this property is set to FALSE, Essbase does not handle non-SSL requests.

    Default: TRUE

    Example: EnableClearMode FALSE

    EnableSecureModeEnables SSL encrypted communication between Essbase clients and Essbase Agent. This property must be set to TRUE to support SSL.

    Default: FALSE

    Example: EnableSecureMode TRUE

    SSLCipherSuitesA list of cipher suites, in order of preference, to use for SSL communication. See Available Cipher Suites for Components that Use Essbase C APIs. Essbase Agent uses one of these cipher suites for SSL communication. The first cipher suite in the list is accorded the highest priority when the agent chooses a cipher suit.

    Default: SSL_RSA_WITH_RC4_128_MD5

    Example: SSLCipherSuites SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA

    AgentSecurePort

    The secure port at which the agent listens.

    Default: 6423

    Example: AgentSecurePort 16001

    WalletPathLocation of the Oracle Wallet (fewer than 1024 characters) that stores the root CA certificate and signed certificate.

    Default: ARBORPATH/bin/wallet

    Example: WalletPath/usr/local/wallet

    ClientPreferredMode[3]The mode (Secure or Clear) for the client session. If this property is set to Secure, SSL mode is used for all sessions.

    If this property is set to Clear, transport is chosen based on whether the client login request contains the secure transport keyword. See Establishing a Per-Session SSL Connection.

    Default: CLEAR

    Example: ClientPreferredMode SECURE

    1 The default value is enforced if the property is missing from essbase.cfg.

    2 Essbase becomes inoperational if EnableClearMode and EnableSecureMode are set to FALSE.

    3 Clients use this setting to determine whether they should establish a secure or non-secure connection with Essbase.

  3. Save and close essbase.cfg.

Customizing SSL Properties of JAPI Clients

A number of default properties are set for you when you deploy Essbase components that rely on JAPI. These customizable properties are externalized in essbase.properties.

  To update SSL properties of JAPI clients:

  1. Using a text editor, open EPM_ORACLE_INSTANCE/EssbaseServer/essbaseserver1/bin/essbase.properties.

  2. Updates the properties as needed. See Table 15 for description of customizable JAPI client properties.

    Table 15. Default SSL properties for JAPI Clients

    PropertyDescription
    olap.server.ssl.alwaysSecureSets the mode that clients should use against all Essbase instances. Change this property value to true to enforce SSL mode.

    Default: false

    olap.server.ssl.securityHandlerPackage name for handling the protocol. You can change this value to indicate another handler.

    Default: java.protocol.handler.pkgs

    olap.server.ssl.securityProviderOracle uses the Sun SSL protocol implementation. You can change this value to indicate another provider.

    Default: com.sun.net.ssl.internal.www.protocol

    olap.server.ssl.supportedCiphersA comma separated list of additional ciphers to be enabled for secure communication. You must specify only ciphers that Essbase supports. See Available Cipher Suites for Components that Use Essbase C APIs.

    Example: SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA

    olap.server.ssl.trustManagerClassThe TrustManager class to use to validate SSL certificate by verifying the signature and checking certificate expiration date.

    By default, this property is not set to enforce all verification checks.

    To not enforce verification checks, set the value of this parameter to com.essbase.services.olap.security.EssDefaultTrustManager, which is the default TrustManager class that allows all validation checks to succeed.

    To implement a custom TrustManager, specify a fully qualified class name of the TrustManager class that implements javax.net.ssl.X509TrustManager interface.

    Example:com.essbase.services.olap.security.EssDefaultTrustManager

    olap.server.ssl.keyManagerClassThis parameter is not used in this release.

  3. Save and close essbase.properties.

  4. Restart all Essbase components.

Available Cipher Suites for Components that Use Essbase C APIs

These cipher suites are supported by the SSL implementation on Essbase Server:

  • SSL_RSA_WITH_AES_256_CBC_SHA

  • SSL_RSA_WITH_AES_128_CBC_SHA

  • SSL_RSA_WITH_3DES_EDE_CBC_SHA

  • SSL_RSA_WITH_DES_CBC_SHA

  • SSL_RSA_WITH_RC4_128_SHA

  • SSL_RSA_WITH_RC4_128_MD5