Regenerating Encryption Keys

Oracle Enterprise Performance Management System uses the following keys to ensure security:

Single Sign On Token encryption key, used to encrypt and decrypt EPM System SSO tokens. This key is stored in Oracle Hyperion Shared Services Registry
Trusted Services key, used by EPM System components to verify the authenticity of the service that is requesting an SSO token
Provider Configuration encryption key, used to encrypt the password (user DN password for LDAP-enabled user directories) that EPM System security uses to bind with a configured external user directory. This password is set while configuring an external user directory.

Change these keys periodically to strengthen EPM System security. Oracle Hyperion Shared Services and the security subsystem of EPM System use AES encryption with 128-bit key strength.

Caution:

Taskflows used by Oracle Hyperion Financial Management and Oracle Hyperion Profitability and Cost Management are invalidated when you regenerate the Single Sign On Encryption key. After regenerating the key, open and save the taskflows to revalidate them.

To regenerate the Single Sign On Encryption key, Provider Configuration key, or Trusted Services key:

Access Oracle Hyperion Shared Services Console as System Administrator. See Launching Shared Services Console.
Select Administration, and then Configure User Directories.
Select Encryption Options.

In Encryption Options, select the key that you want to regenerate.

Table 3-7 EPM System Encryption Options

Option Description

Single Sign On Token

Option	Description
Single Sign On Token	Select to regenerate the encryption key that is used to encrypt and decrypt EPM System SSO tokens. Select one of the following buttons if Enable SSO Compatibility is selected on Security Options: Generate new key to create a new SSO token encryption key Reset to default to restore the default SSO token encryption key Note: If you revert to the default encryption key, you must delete the existing keystore file (EPM_ORACLE_HOME`/common/CSS/ssHandlerTK`) from all EPM System host machines.
Trusted Services Key	Select this option to regenerate the trusted authentication key, used by EPM System components to verify the authenticity of the service that is requesting an SSO token.
Provider Configuration Key	Select this option to regenerate the key that is used to encrypt the password (user DN password for LDAP-enabled user directories) that EPM System security uses to bind with a configured external user directory. This password is set while configuring an external user directory.

Select to regenerate the encryption key that is used to encrypt and decrypt EPM System SSO tokens.

Select one of the following buttons if Enable SSO Compatibility is selected on Security Options:

Generate new key to create a new SSO token encryption key
Reset to default to restore the default SSO token encryption key

Note:

If you revert to the default encryption key, you must delete the existing keystore file (EPM_ORACLE_HOME/common/CSS/ssHandlerTK) from all EPM System host machines.

Trusted Services Key Select this option to regenerate the trusted authentication key, used by EPM System components to verify the authenticity of the service that is requesting an SSO token.

Provider Configuration Key Select this option to regenerate the key that is used to encrypt the password (user DN password for LDAP-enabled user directories) that EPM System security uses to bind with a configured external user directory. This password is set while configuring an external user directory.

Click OK.
If you chose to generate a new SSO encryption key, complete this step.
1. Click Download.
2. Click OK to save ssHandlerTK, the keystore file that supports the new SSO encryption key, into a folder on the server that hosts Oracle Hyperion Foundation Services.
3. Copy ssHandlerTK into EPM_ORACLE_HOME/common/CSS on all EPM System host machines.
Restart Foundation Services and other EPM System components.