1. Security Configuration Guide
  2. SSL-Enabling EPM System Components
  3. SSL for Essbase 21c

SSL for Essbase 21c

Overview

This section explains the procedures for replacing the default certificates that are used to secure communication between an Oracle Essbase instance and components such as MaxL, Oracle Essbase Administration Services Server, Oracle Hyperion Provider Services, Oracle Hyperion Foundation Services, Oracle Hyperion Planning, Oracle Hyperion Financial Management, and Oracle Hyperion Shared Services Registry.

Note:

  • Essbase Administration Services (EAS) Lite does not use the HTTP Server SSL port (for example, 443) configured using the EPM Configurator. The secure URL in the easconsole.jnlp file defaults to the non-SSL port (80).

    Workaround: Replace the default non-SSL port in the secure URL identified in easconsole.jnlpwith the updated secure URL:

    Default Secure URL: https://myserver:SECURE_PORT/easconsole/console.html. Example, https://myserver:80/easconsole/console.html

    Updated Secure URL: https://myserver:SECURE_PORT/easconsole/console.html. Example, https://myserver:443/easconsole/console.html

    See My Oracle Support (MOS) article - Doc ID 1926558.1 - SSL Port Not Included In easconsole.jnlp of the EAS Web Console for more information.

  • Planning's connection to Essbase might not function if SSL is set up for EPM in a Windows environment.

    Workaround: Add the following folder path to the PATH system environment variable on the server where Planning is installed. 

    EPM_ORACLE_HOME\bin21C

Default Deployment

Essbase can be deployed to work in SSL and non-SSL modes. Essbase Agent listens on a non-secure port; it also can be configured to listen on a secure port. All connections accessing the secure port are treated as SSL connections. If a client connects to the Essbase Agent on the non-SSL port, the connection is treated as a non-SSL connection. Components can establish concurrent non-SSL and SSL connections to an Essbase Agent.

You can control SSL on a per-session basis by specifying the secure protocol and port when you log in. See Establishing a Per-Session SSL Connection.

If SSL is enabled, all communication within an Essbase instance is encrypted to ensure data security.

Default deployments of Essbase components in secure mode uses self-signed certificates to enable SSL communication, mainly for testing purposes. Oracle recommends that you use certificates from well-known third-party CAs to SSL-enable Essbase in production environments.


A conceptual secure deployment

Typically, an Oracle Wallet stores the certificate that enables SSL communication with clients that use Essbase RTC and a Java keystore stores the certificate that enables SSL communication with components that utilize JAPI for communication. To establish SSL communication, Essbase clients and tools store the root certificate of the CA that signed the Essbase Server and Agent certificates.

Required Certificates and Their Location

Oracle recommends the use of certificates from well-known third-party CAs to SSL-enable Essbase in a production environment. You may use the default self-signed certificates for test purposes.

Note:

Essbasesupports certificates that are supported by OpenSSL.

You require the following certificates:

  • A root CA certificate.

    Components that use Essbase RTC to establish a connection to Essbase require that the root CA certificate be stored in an Oracle Wallet. Components that use JAPI to establish a connection require that the root CA certificate be stored in a Java keystore. The required certificates and their locations are indicated in the following table.

    Note:

    You may not need to install root CA certificate if you are using certificates from a well-known third-party CA whose root certificate is already installed in Oracle Wallet.

  • Signed certificate for Essbase Server and Essbase Agent.

Table 2-4 Required Certificates and Their Locations

Component1 Keystore Certificate 2
MaxL Oracle Wallet Root CA certificate
Administration Services Server Oracle Wallet Root CA certificate
Provider Services Oracle Wallet Root CA certificate
Oracle Enterprise Performance Management System Database Oracle Wallet Root CA certificate
Planning
  • Oracle Wallet
  • Java Keystore
 Root CA certificate
Financial Management Java Keystore Root CA certificate
Essbase (Server and Agent) 3
  • Oracle Wallet
  • Java Keystore
  • Root CA certificate
  • Signed certificate for Essbase Server and Agent
Oracle Hyperion Shared Services Repository    

1 You need only one instance of the keystore to support multiple components that use a similar keystore.

2 Multiple components can use a root certificate installed in a keystore.

3 Certificates must be installed in the default Oracle Wallet and in the Java keystore.