EPM System uses the following keys to ensure security:
Single Sign On Token encryption key, used to encrypt and decrypt EPM System SSO tokens. This key is stored in Oracle's Hyperion Shared Services Registry.
Trusted Services key, used by EPM System components to verify the authenticity of the service that is requesting an SSO token.
Provider Configuration encryption key, used to encrypt the password (user DN password for LDAP-enabled user directories) that EPM System security uses to bind with a configured external user directory. This password is set while configuring an external user directory.
Caution! | If your deployment comprises System 9 release 9.2.x components, regenerating the encryption key causes SSO failure because System 9 release 9.2.x components work with its default encryption key only. |
Caution! | Taskflows used by Oracle Hyperion Financial Management, Fusion Edition; Oracle Hyperion EPM Architect, Fusion Edition; and Oracle Hyperion Profitability and Cost Management, Fusion Edition, are invalidated when you regenerate the Single Sign On Encryption key. After regenerating the key, you must open and save the taskflows to revalidate them. |
To regenerate Single Sign On Encryption key, Provider Configuration key, or Trusted Services key:
Launch Shared Services Console. See Launching Shared Services Console.
In Encryption Options, select the key that you want to regenerate.
Table 8. EPM System Encryption Options
Option Description Single Sign On Token Select to regenerate the encryption key that is used to encrypt and decrypt EPM System SSO tokens. Select one of the following buttons if SSO Compatibility in Security Options screen is set to 11.1.2.0 and below:
Generate new key to create a new SSO token encryption key.
Reset to default to restore the default SSO token encryption key.
Note:
If you revert to the default encryption key, you must delete the existing keystore file. See Table 9.
Trusted Services Key Select this to regenerate the trusted authentication key, used by EPM System components to verify the authenticity of the service that is requesting an SSO token. Provider Configuration Key Select this to regenerate the key that is used to encrypt the password (user DN password for LDAP-enabled user directories) that EPM System security uses to bind with a configured external user directory. This password is set while configuring an external user directory. Optional: If you chose to generate a new SSO encryption key, complete this step.
Click Download.
Click OK to download ssHandlerTK, the keystore file that supports the new SSO encryption key, into a folder on the server that hosts Foundation Services.
Optional: Copy ssHandlerTK into required locations. See following table for details.
Table 9. Encryption key compatibility and location of keystore
EPM System Interoperability Mode[1] SSO Encryption Key Regeneration Support Where to Locate ssHandlerTK[2] 11.1.2.1 with 9.2.x No Not applicable 11.1.2.1 with 9.3.x Yes HYPERION_HOME/common/CSS on all EPM System host machines 11.1.2.1 with 11.1.1.1 Yes HYPERION_HOME/common/CSS on all EPM System host machines 11.1.2.1 with 11.1.1.2 Yes EPM_ORACLE_HOME/common/CSS on all EPM System host machines 11.1.2.1 with 11.1.1.3 Yes EPM_ORACLE_HOME/common/CSS on all EPM System host machines 11.1.2.1 Yes EPM_ORACLE_HOME/common/CSS on all EPM System host machines 1 Some interoperability modes listed in this table may not be supported. See Release 11.1.2.1 Certification Matrix.