Protecting EPM System Products for SSO
You must protect Oracle Enterprise Performance Management System resources so that SSO requests from users are redirected to the security agent (OAM, OSSO, or SiteMinder).
Oracle HTTP Server uses mod_osso
to redirect users to the OSSO server. Users are redirected only
if the URLs that they request are configured in mod_osso
to
be protected. See Managing Security in the Oracle HTTP Server
Administrator's Guide.
`
For information on protecting resources for SiteMinder SSO, see SiteMinder documentation.
OAM Only: Preventing Default Headers from Being Added to Responses
By default, OAM adds two headers; Pragma: no-cache and Cache-Control: no-cache, to protected URLs. Because these headers conflict with similar caching directives added by the EPM System and web applications, browsers may not cache the content of protected URLs causing slower performance.
For detailed information on preventing these OAM headers from being added to responses, see "Tuning OAM Agents" in the "Oracle Access Management Performance Tuning" section of Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.
Resources to Protect
The following table lists the contexts that must be protected. The syntax for protecting a resource (usinginterop
as an example) for
OSSO:<Location /interop>
Require valid-user
AuthType Basic
order deny,allow
deny from all
allow from myServer.myCompany.com
satisfy any
</Location>
The allow from
parameter
specifies servers from which the protection of the context can be
bypassed.
For Oracle Hyperion Enterprise Performance Management Workspace and Oracle Hyperion Financial Reporting you need to set only the parameters indicated in the following example:
<Location /workspace>
Require valid-user
AuthType Basic
</Location>
Table 3-1 EPM System Resources to Protect
EPM System Product | Context to Protect |
---|---|
Oracle Hyperion Shared Services |
|
Oracle Hyperion EPM Workspace |
|
Oracle Hyperion Financial Reporting |
|
Oracle Hyperion Planning |
|
Oracle Integrated Operational Planning |
|
Oracle Hyperion Financial Management |
|
Oracle Hyperion Financial Reporting Web Studio | /frdesigner/** |
Oracle Data Relationship Management |
|
Oracle Essbase Administration Services |
|
Oracle Hyperion Financial Data Quality Management |
|
Oracle Hyperion Calculation Manager |
|
Oracle Hyperion Provider Services |
|
Oracle Hyperion Profitability and Cost Management |
|
Account Reconciliation Manager |
|
Oracle Hyperion Financial Close Management |
|
Oracle Hyperion Financial Data Quality Management, Enterprise Edition |
|
Oracle Hyperion Tax Governance | /tss |
Tax Operations | /taxop |
Oracle Hyperion Tax Provision | /taxprov |
Supplemental Data Manager |
|
Oracle Essbase |
|
Resources to Unprotect
The following table lists the contexts that must be unprotected. The
syntax for unprotecting a resource (using
/interop/framework(.*)
as an example) for OSSO:
<LocationMatch /interop/framework(.*)>
Require valid-user
AuthType Basic
allow from all
satisfy any
</LocationMatch>
Table 3-2 EPM System Resources to Unprotect
EPM System Product | Contexts to Unprotect |
---|---|
Oracle Hyperion Shared Services |
|
Oracle Hyperion EPM Workspace |
|
Oracle Hyperion Planning |
|
Oracle Hyperion Financial Reporting |
|
Oracle Data Relationship Management | /drm-migration-client |
Oracle Hyperion Calculation Manager |
|
Oracle Essbase Administration Services |
|
Oracle Hyperion Financial Management | /oracle-epm-fm-webservices |
Oracle Hyperion Financial Close Management |
|
Integrated Operational Planning |
|
Oracle Hyperion Profitability and Cost Management |
|
Oracle Essbase |
|
Oracle Hyperion Financial Data Quality Management, Enterprise Edition |
|