1. Security Configuration Guide
  2. Using a Custom Authentication Module
  3. Deploying the Custom Authentication Module

Deploying the Custom Authentication Module

Only one custom module is supported for an Oracle Enterprise Performance Management System deployment. You can enable custom authentication for one or more user directories in the search order.

The custom authentication module must implement the public interface CSSCustomAuthenticationIF, defined in the com.hyperion.css package. This document assumes that you have a fully functional custom module that defines the logic for authenticating users against the user provider of your choice. After you develop and test a custom authentication module, you must implement it in EPM System environment.

Overview of Steps

Your custom authentication code should not use log4j for error logging. If the code that you used in a previous release uses log4j, you must remove it from the code before using it with this release.

To implement the custom authentication module, complete the following steps:

  • Stop EPM System products including Oracle Hyperion Shared Services and any systems that use Shared Services APIs.

  • Copy the custom authentication module Java archive CustomAuth.jar into the deployment:

    • WebLogic: Copy CustomAuth.jar into MIDDLEWARE_HOME/user_projects/domains/WEBLOGIC_DOMAIN/lib, typically, C:/Oracle/Middleware/user_projects/domains/EPMSystem/lib.

      If you are upgrading from Release 11.1.2.0 or 11.1.2.1 that had an implementation of custom authentication module, move CustomAuth.jar from EPM_ORACLE_HOME/common/jlib/11.1.2.0 into MIDDLEWARE_HOME/user_projects/domains/WEBLOGIC_DOMAIN/lib.

    • All Client Deployments: Copy CustomAuth.jar into all EPM System client deployments, into the following location:

      EPM_ORACLE_HOME/common/jlib/11.1.2.0, typically, Oracle/Middleware/common/jlib/11.1.2.0. Ensure that CustomAuth.jar file is always placed in the EPM_ORACLE_HOME/common/jlib/11.1.2.0 directory.

      For all the servers and clients to work with custom authentication, the CustomAuth.jar file must be present in the following two locations:

      • MIDDLEWARE_HOME/user_projects/domains/WEBLOGIC_DOMAIN/lib
      • EPM_ORACLE_HOME/common/jlib/11.1.2.0

  • Update user directory settings in Shared Services. See Updating Settings in Shared Services.

  • Start Shared Services, followed by other EPM System products.

  • Test your implementation. See Testing Your Deployment.

Updating Settings in Shared Services

By default, custom authentication is disabled for all user directories. You can override the default behavior to enable custom authentication for specific external user directories or for Native Directory.

Updating User Directory Configurations

You must update the configuration of the user directory for which custom authentication must be enabled.

To update user directory configuration:

  1. Start Oracle Hyperion Foundation Services.

  2. Access Oracle Hyperion Shared Services Console as System Administrator.

  3. Select Administration, and then Configure User Directories.

  4. On the Defined User Directories screen, select the user directory for which you want to change the custom authentication setting.

    Note:

    EPM System uses only the user directories included in the search order.

  5. Click Edit.

  6. Select Show Advanced Options.

  7. In Custom Module, select Authentication Module to enable custom module for the current user directory.

  8. Click Finish.

  9. Repeat this procedure to update the configuration of other user directories in the search order.

Updating Security Options

Ensure that CustomAuth.jar is available in EPM_ORACLE_HOME/user_projects/domains/WEBLOGIC_DOMAIN/lib before starting the following procedure.

To update security options:

  1. Access Shared Services Console as System Administrator.

  2. Select Administration, and then Configure User Directories.

  3. Select Security Options.

  4. Select Show Advanced Options.

  5. In Authentication Module, enter the fully qualified class name of the custom authentication module that should be used to authenticate users on all user directories for which the custom authentication module is selected. For example, com.mycompany.epm.CustomAuthenticationImpl.

  6. Click OK.

Testing Your Deployment

If Native Directory is not configured for custom authentication, do not use Native Directory users to test custom authentication.

Note:

It is your responsibility to identify and correct any issues with the custom authentication module. Oracle assumes that your custom module works flawlessly to map a user from the user directory used by the custom module to a user on a custom authentication-enabled user directory available in EPM System search order.

To test your deployment, log in to EPM System using user credentials from the user directory; for example, an RSA SecurID infrastructure, used by the custom module. These credentials may be different from the EPM System credentials.

Your implementation is considered successful if EPM System products allow you to access their resources. An error indicating that the user was not found is not always an indicator of an unsuccessful implementation. In such cases, verify that the credentials that you entered are present in the custom user store and that a matching user is present in one of the custom authentication-enabled user directories in the EPM System search order.

To test custom authentication:

  1. Ensure that EPM System products are running.

  2. Access an EPM System component; for example, Oracle Hyperion Enterprise Performance Management Workspace.

  3. Log in as a user defined on a user directory for which custom authentication is enabled.

    1. In Username, enter your user identifier; for example, an RSA User ID.

    2. In Password, enter a password; for example; an RSA PIN.

    3. Click Login.

  4. Verify that you can access EPM System product resources.