1. Security Configuration Guide
  2. Enabling SSO with Security Agents
  3. Protecting EPM System Products for SSO

Protecting EPM System Products for SSO

You must protect Oracle Enterprise Performance Management System resources so that SSO requests from users are redirected to the security agent (OAM, OSSO, or SiteMinder).

Oracle HTTP Server uses mod_osso to redirect users to the OSSO server. Users are redirected only if the URLs that they request are configured in mod_osso to be protected. See Managing Security in the Oracle HTTP Server Administrator's Guide.

`

For information on protecting resources for SiteMinder SSO, see SiteMinder documentation.

OAM Only: Preventing Default Headers from Being Added to Responses

By default, OAM adds two headers; Pragma: no-cache and Cache-Control: no-cache, to protected URLs. Because these headers conflict with similar caching directives added by the EPM System and web applications, browsers may not cache the content of protected URLs causing slower performance.

For detailed information on preventing these OAM headers from being added to responses, see "Tuning OAM Agents" in the "Oracle Access Management Performance Tuning" section of Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.

Resources to Protect

The following table lists the contexts that must be protected. The syntax for protecting a resource (using interop as an example) for OSSO:
<Location /interop>
Require valid-user
AuthType Basic
order deny,allow
deny from all
allow from myServer.myCompany.com
satisfy any
</Location>

The allow from parameter specifies servers from which the protection of the context can be bypassed.

For Oracle Hyperion Enterprise Performance Management Workspace and Oracle Hyperion Financial Reporting you need to set only the parameters indicated in the following example: 

<Location /workspace>
Require valid-user
AuthType Basic
</Location>

Table 3-1 EPM System Resources to Protect

EPM System Product Context to Protect
Oracle Hyperion Shared Services
  • /interop
  • /interop/.../*
Oracle Hyperion EPM Workspace
  • /workspace
  • /workspace/.../*
Oracle Hyperion Financial Reporting
  • /hr
  • /hr/.../*
Oracle Hyperion Planning
  • /HyperionPlanning
  • /HyperionPlanning/.../*
Oracle Integrated Operational Planning
  • /interlace
  • /interlace/.../*
Oracle Hyperion Financial Management
  • /hfmadf
  • /hfmadf/.../*
Oracle Hyperion Financial Reporting Web Studio /frdesigner/**
Oracle Data Relationship Management
  • /drm-web-client
  • /drm-web-client/.../*
Oracle Essbase Administration Services
  • /hbrlauncher
  • /hbrlauncher/.../*
Oracle Hyperion Financial Data Quality Management
  • /HyperionFDM
  • /HyperionFDM/.../*
Oracle Hyperion Calculation Manager
  • /calcmgr
  • /calcmgr/.../*
Oracle Hyperion Provider Services
  • /aps
  • /aps/.../*
Oracle Hyperion Profitability and Cost Management
  • /profitability
  • /profitability/.../*
Account Reconciliation Manager
  • /arm
  • /arm/.../*
Oracle Hyperion Financial Close Management
  • /fcc
  • /fcc/.../*
Oracle Hyperion Financial Data Quality Management, Enterprise Edition
  • /aif
  • /aif/.../*
Oracle Hyperion Tax Governance /tss
Tax Operations /taxop
Oracle Hyperion Tax Provision /taxprov
Supplemental Data Manager
  • /sdm*
  • /sdm/**
  • /sdm/../**
  • /SDM-Datamodel-context-root/**
Oracle Essbase
  • /essbase/.../*
  • /essbase/**
  • /essbase*

Resources to Unprotect

The following table lists the contexts that must be unprotected. The syntax for unprotecting a resource (using /interop/framework(.*) as an example) for OSSO: 

<LocationMatch /interop/framework(.*)>
   Require valid-user
   AuthType Basic
   allow from all
   satisfy any
</LocationMatch>

Table 3-2 EPM System Resources to Unprotect

EPM System Product Contexts to Unprotect
Oracle Hyperion Shared Services
  • /interop/framework
  • /interop/framework*
  • /interop/framework.*
  • /interop/framework/.../*
  • /interop/Audit
  • /interop/Audit*
  • /interop/Audit.*
  • /interop/Audit/.../*
  • /interop/taskflow
  • /interop/taskflow*
  • /interop/taskflow/.../*
  • /interop/WorkflowEngine
  • /interop/WorkflowEngine/*
  • /interop/WorkflowEngine/.../*
  • /interop/TaskReceiver
  • /framework/lcm/HSSMigration
Oracle Hyperion EPM Workspace
  • /epmstatic/.../*
  • /workspace/bpmstatic/.../*
  • /workspace/static/.../*
  • /workspace/cache/.../*
Oracle Hyperion Planning
  • /HyperionPlanning/Smartview
  • /HyperionPlanning/faces/PlanningCentral
  • /HyperionPlanning/servlet/HspDataTransfer
  • /HyperionPlanning/servlet/HspLCMServlet
  • /HyperionPlanning/servlet/HspADMServlet/…/*
  • /HyperionPlanning/servlet/HspADMServlet/**
  • /HyperionPlanning/servlet/HspADMServlet*
  • /HyperionPlanning/servlet/HspAppManagerServlet/…/*
  • /HyperionPlanning/servlet/HspAppManagerServlet/**
  • /HyperionPlanning/servlet/HspAppManagerServlet*
Oracle Hyperion Financial Reporting
  • /hr/common/HRLogon.jsp
  • /hr/services
  • /hr/services/*
  • /hr/services/.../*
  • /hr/modules/com/hyperion/reporting/web/reportViewer/HRStaticReport.jsp
  • /hr/modules/com/hyperion/reporting/web/repository/HRObjectListXML.jsp
  • /hr/modules/com/hyperion/reporting/web/reportViewer/HRHtmlReport.jsp
  • /hr/modules/com/hyperion/reporting/web/bookViewer/HRBookTOCFns.jsp
  • /hr/modules/com/hyperion/reporting/web/bookViewer/HRBookPdf.jsp
Oracle Data Relationship Management /drm-migration-client
Oracle Hyperion Calculation Manager
  • /calcmgr/importexport.postExport.do
  • /calcmgr/common.performAction.do
  • /calcmgr/lcm.performAction.do*
  • /calcmgr/lcm.performAction.do/*
Oracle Essbase Administration Services
  • /eas
  • /easconsole
  • /easdocs
Oracle Hyperion Financial Management /oracle-epm-fm-webservices
Oracle Hyperion Financial Close Management
  • /FCC-DataModel-context-root
  • /oracle-epm-erpi-webservices/*
  • /ARM-DataModel-context-root
  • /oracle-epm-erpi-webservices/**
  • /arm/batch/armbatchexecutionservlet
  • /ARM-DataModel-context-root
Integrated Operational Planning
  • /interlace/services/
  • /interlace/services/*
  • /interlace/services/.*
  • /interlace/services/.../*
  • /interlace/anteros
  • /interlace/anteros/*
  • /interlace/anteros/.*
  • /interlace/anteros/.../*
  • /interlace/interlace
  • /interlace/interlace/*
  • /interlace/interlace/.*
  • /interlace/interlace/.../*
  • /interlace/WebHelp
  • /interlace/WebHelp/*
  • /interlace/WebHelp/.*
  • /interlace/WebHelp/.../*
  • /interlace/html
  • /interlace/html/*
  • /interlace/html/.*
  • /interlace/html/.../*
  • /interlace/email-book
  • /interlace/email-book/*
  • /interlace/email-book/.*
  • /interlace/email-book/.../*
Oracle Hyperion Profitability and Cost Management
  • /profitability/cesagent
  • /profitability/lcm
  • /profitability/control
  • /profitability/ApplicationListener
  • /profitability/HPMApplicationListener
Oracle Essbase
  • /essbase/agent
  • /essbase/agent*
  • /essbase/agent/.../*
  • /essbase/Essbase
  • /essbase/Essbase*
  • /essbase/Essbase/.../*
  • /essbase/jet/logout.html
  • /essbase/jet/.+\.(js|css|gif|jpe?g|png)$
Oracle Hyperion Financial Data Quality Management, Enterprise Edition
  • /aif/services/FDMRuleService
  • /aif/services/RuleService
  • /aif/LCMServlet