1. Installation and Configuration Troubleshooting Guide
  2. Foundation Services
  3. Shared Services

Shared Services

Running Remote Diagnostics Agent

Before reporting a Oracle Hyperion Shared Services bug, run Remote Diagnostics Agent (RDA). Attach the RDA output to the bug report. The output file is in /ohs/rda.

To run RDA, enter this command in a command window:

/ohs/rda/rda.cmd

For more information, see the RDA readme file in /ohs/rda.

Shared Services Logon

Issue: Shared Services logon fails.

Solution: Troubleshoot user directories and Shared Services Java web application by launching Oracle Hyperion Enterprise Performance Management System Diagnostics to ensure that the products' Java web applications are started. For instructions, see "Validating the Installation and Verifying Deployment" in the Oracle Enterprise Performance Management System Installation and Configuration Guide.

Also check the SharedServices_Security.log file. If you cannot log on to products, check SharedServices_SecurityClient.log. See Using EPM System Logs.

If logon fails against Microsoft Active Directory, ensure that Shared Services is configured to use DNS lookup to locate Active Directory. For instructions, see the solution in the next section, "High Availability of Active Directory." The most common reason for logon failure against Active Directory is that a host specified for the domain controller is offline for maintenance.

High Availability of Active Directory

Issue: You need to ensure high availability of Microsoft Active Directory

Solution: Configure Shared Services to use DNS lookup to locate Active Directory:

  • Specify the domain name.

  • (Optional) Specify the site and the DNS IP address.

Caution:

Oracle recommends against selecting the Host Name option for Active Directory configuration in Shared Services. Use the Host Name option for testing purposes only.

When configured to perform a DNS lookup, Shared Services queries the DNS server to identify registered domain controllers and switches to an available domain controller in case of a failure. For more information, see the Oracle Enterprise Performance Management System User Security Administration Guide.

Note:

Oracle recommends configuring Shared Services to use DNS lookup to locate Active Directory regardless of whether you require high availability.

Product Registration

Issue: You cannot register an Oracle Enterprise Performance Management System product with Shared Services when the product and Shared Services are on different machines. This message is logged in SharedServices_security.log:

com.hyperion.interop.lib.OperationFailedException: Unable to Authenticate

Solution:

  • Verify that the administrator's password for Shared Services is correct.

  • Subscribe to any online time source that uses an atomic clock, and ensure that both machines use this time source so that they are synchronized.

Security Lockout After Failed Logon Attempts

Issue: For security reasons, you want to lock out users who have unsuccessfully attempted several times to log on to Oracle Hyperion Enterprise Performance Management Workspace.

Solution: In an external directory (for example, Microsoft Active Directory or an LDAP-enabled user directory such as Oracle Internet Directory), define password policies to specify how many logon attempts to allow before locking out users. EPM System honors all locks controlled by the password policies for the external user directory. Because EPM System security for Release 11.1.2 does not support password policies for Native Directory, you cannot lock out a Native Directory user after a specified number of unsuccessful login attempts.

Asterisks in User Names

Issue: A user whose user name includes an asterisk (*) has unauthorized access to view information for similar user names.

Solution: Do not use the asterisk character (*) in user names or in Common Names (CNs), because it is the wildcard character used for searches performed in Oracle Hyperion Shared Services Registry. For information about supported characters in user names, see the Oracle Enterprise Performance Management System User Security Administration Guide.

EPM System Administrator User Name

Issue: You want the EPM System administrator to be a user from your corporate directory rather than "admin" so that corporate password policies are applied to the administrator.

Solution: In Shared Services, provision the users you want to be EPM administrators with the role of Administrator.

Tip:

You prevent access to the native "admin" account by assigning a long random password to it. The "admin" account cannot be deleted.

AuditHandler Message

Issue: The SharedServices_Audit.log file includes this line: 

AuditHandler - Server Audit Enable Status:- false

Solution: You can safely ignore this message, which indicates that auditing is not enabled on the Shared Services server.

An AuditHandler status message is included whenever an audit client pings the server for status. If auditing is enabled, the client proceeds with auditing events; otherwise, the client ignores auditing events.

Audit Data Purges and Oracle Database Tablespace

Issue: After repeated purging of audit data using Shared Services, table space is not freed in Oracle database.

Note:

In Oracle database, table space is not freed automatically when you delete the data from the tables.

Solution: Follow these steps:

  1. Stop the Shared Services server and run these queries to shrink the space occupied by the tables: 

    alter table SMA_AUDIT_ATTRIBUTE_FACT enable row movement 
alter table SMA_AUDIT_ATTRIBUTE_FACT shrink space 

alter table SMA_AUDIT_FACT enable row movement 
alter table SMA_AUDIT_FACT shrink space

  2. Restart the Shared Services server.

Single Sign-On

Issue: With the Oracle Single Sign-On (OSSO) security agent enabled, single sign-on (SSO) fails.

This issue occurs when the Shared Services security settings specify OSSO as the SSO provider or agent and Get Remote user from HTTP request as the SSO mechanism

Solution: Using Oracle Hyperion Shared Services Console, select these security settings:

  • SSO Provider or Agent–Other

  • SSO Mechanism–Custom HTTP Header

    The default value for the Custom HTTP Header is HYPLOGIN. You can specify a different value.

See the Oracle Enterprise Performance Management System User Security Administration Guide.

Shared Services Registry Contents and Updates

Caution:

Be extremely careful when editing the Shared Services Registry, because it is critical to running EPM System products. Always back up the Oracle Hyperion Foundation Services database before making any changes to the Shared Services Registry.

The Registry Editor utility—epmsys_registry.bat (Windows) —is in EPM_ORACLE_INSTANCE/bin. Running this utility creates a report on the contents of the Shared Services Registry. See "Updating the Shared Services Registry" in the Oracle Enterprise Performance Management System Deployment Options Guide

Issue: You cannot access the Shared Services Oracle Hyperion Enterprise Performance Management System Lifecycle Management user interface and must view the contents of the Shared Services Registry.

Solution: Run the Registry Editor utility without parameters to generate a report called registry.html.

Issue: You must change user directory information but cannot access the Shared Services Lifecycle Management user interface.

Solution: Run the Registry Editor utility for a report of deployment information that can help you determine how to edit the Shared Services Registry.

User Directories and Provisioning

See also the Oracle Enterprise Performance Management System User Security Administration Guide.

Provisioning Issues and Best Practices

If you have an existing LDAP/MSAD user directory, use a standard LDAP browser to explore the user directories that store user credentials before provisioning EPM System applications. The settings that the LDAP browser uses to connect to the user directory are identical to those that EPM System applications use to connect to the user directories. You can download a free LDAP browser.

Use the browser to check these points:

  • Whether you can connect to the user directory from the server that you are using

  • The response time

  • The starting point (base DN) for any search of the user directory

  • A count of the users and groups under the starting point

To ensure acceptable login performance:

  • Minimize the number of groups and users for EPM System applications.

  • Ensure that the server machines that host EPM System applications are in the same geographical location as the server machines that host the user directories used in the provisioning process.

  • Find an optimal starting point for searches or create a custom group hierarchy.

  • For the first item in the search order, specify the directory from which the greatest number of users log in.

External Users, Groups Information, and Performance

See the Oracle Enterprise Performance Management System User Security Administration Guide.

Issue: Performance is degraded because of a large number of external users or groups available in Shared Services.

Solutions:

  • Set up a filter to retrieve only the required users.

  • Oracle recommends that you set the group URL and tune the group filter to decrease the number of groups that Shared Services must parse to build the cache. Doing so improves runtime performance significantly.

See Faster User Retrieval, Application Registration, and Security Loading and Maximum Size Setting for User/Group Searches.

Issue: Shared Services accesses LDAP and MSAD group information even though you do not use LDAP or MSAD groups.

Solution: Create groups in Native Directory and assign users from LDAP and MSAD directories to them, then set the "use groups" option to false.

Use the Shared Services Console to modify the user directory configuration. Verify that the Support Groups check box on the Group Configuration tab is clear.

Note:

Oracle recommends that you set the group URL and tune the group filter to decrease the number of groups that Shared Services must parse to build the cache. Doing so improves runtime performance significantly.

Tips and Common Issues

The most common causes of problems that you might encounter when configuring Shared Services with external user directories:

  • The Group URL is incorrectly defined.

  • The host name, port, or domain controller is not specified correctly.

  • Too many groups are defined in the Group URL.

    Note:

    Shared Services displays a warning if the number of available groups within the Group URL exceeds 10,000.

Faster User Retrieval, Application Registration, and Security Loading

The following procedure enables you to perform these tasks faster:

  • Retrieve lists of users against projects

  • Register applications

  • Load security

To increase performance:

  1. If you plan to use groups:

    1. Use native groups, not external groups, to provision external users, and clear the use groups option on the groups tab of LDAP/MSAD provider configuration panel.

    2. Always set a group URL to the lowest node that includes all your groups.

    3. Use a group filter, if possible.

  2. Limit the number of users with EPM System access:

    1. Always define a User URL and set it as deep as possible.

    2. Set a user filter, if possible.

  3. Use the default logging level of WARNING. Change the level to TRACE only for debugging purposes. See ODL Configuration.

  4. For multiple groups and users, set the Java Heap Size in all products to 1 GB. See Java Heap Size Changes.

Group URL

Having more than 10,000 groups in the Group URL degrades performance. To resolve this issue:

  • Change the Group URL to point to a lower-level node.

  • Use a group filter that retrieves only provisioned groups.

  • Create a custom group hierarchy to support EPM System applications.

See the Oracle Enterprise Performance Management System User Security Administration Guide.

Maximum Size Setting for User/Group Searches

For MSAD, LDAP, database, and SAP providers, the number of users and groups a search retrieves is determined by the MaximumSize setting in the user directory configuration. To retrieve all users and groups, set MaximumSize to 0 when configuring user directories. You can then use filters to limit the searches.

Startup and Access Issues

Resolving a Shared Services Startup on the Application Server

If the Shared Services Java web application does not start:

  1. Review the Shared Services logs in MIDDLEWARE_HOME/user_projects/domains/EPMSystem/servers/FoundationServices0/logs.

  2. From EPM System Diagnostics, validate that database connectivity succeeds, and check external user directories. These are prerequisites for Java web application startup. For instructions on using EPM System Diagnostics, see "Validating the Installation and Verifying Deployment" in the Oracle Enterprise Performance Management System Installation and Configuration Guide.

  3. Determine whether the default port 28080 is being used by another application by running NETSTAT –an | findstr 0.0.0.0:28080. If you get (0.0.0.0:28080), change the Shared Services port or stop the process that is using the port.

Resolving Problems Accessing Products from Shared Services

You may be unable to log on to other EPM System products for these reasons:

  • Performance is unacceptably slow because the group URL and group filter are not limiting the number of groups returned by a search.

  • You are using invalid logon credentials.

  • The server hosting the product is not connected to the servers hosting user directories and Shared Services, so you cannot be authenticated as a user.

Perform these tasks:

  1. Review SharedServices_SecurityClient.log (on the server hosting the product) and SharedServices_Security.log (on the server). See ODL Configuration.

    • Check the Java web application port to ensure that you are using the web server.

    • If group cache errors exist, stop Shared Services and refresh the cache.

    • If authentication errors exist, verify that the user URL is correct.

  2. Ensure that the user ID and password are correct.

  3. Ensure that the server hosting the product can connect to the servers hosting the user directories and Shared Services.

Reregistering Products with Shared Services

Issue: You must reregister products with Shared Services. For example, you must reregister products if you accidentally delete the registration information.

Solution: Re-enable the Shared Services configuration task by edit the Shared Services Registry using this command:

Epmsys_registry updateproperty product/instance_task_configuration/@hssregistration Pending, where product identifies the EPM System product that you are reregistering.

Reconfiguring the Shared Services Database

Issue: You cannot change a configured Shared Services database directly in EPM System Configurator.

Solution:

  1. Delete MIDDLEWARE_HOME/user_projects/config/foundation/11.1.2.0/reg.properties.

  2. Restart EPM System Configurator.

  3. Reconfigure the Shared Services database by selecting Connect to a previously configured database.

Product-Specific Issues

Shared Services and Essbase Components

Issue: You receive this error message when refreshing security to Shared Services from the Oracle Essbase Administration Services console:

Error: 1051502: Analytical Services failed to get roles list for [ESB:Analytic Servers:PLYSHYP08D:1] from Shared Services Server with Error [Failed to connect to the directory server.]

Solution: Refer to SharedServices_SecurityClient.log in the Oracle Essbase logs folder. See Using EPM System Logs.

Issue: You cannot create an Essbase application as a Microsoft Active Directory user.

This issue occurs if Microsoft Active Directory contains user and contact records and Shared Services is configured to return both record types.

Solution: Edit CSS.xml to specify the setting objectClass=user. This setting prevents Shared Services the Microsoft Active Directory provider from returning contact records. The CSS.xml file is in EPM_ORACLE_INSTANCE/Config/FoundationServices.

Shared Services and Financial Management

Application Creation

Issue: You receive an Application Creation Fails error message.

Solution: Perform these tasks:

  • Review SharedServices_SecurityClient.log.

    If group cache errors are displayed, ensure that the group URL and filter are set correctly to accommodate group counts. If data broker property errors are displayed, enable interopjava logging. Use JRE 1.5 to support 1,000 or more groups.

    On the server, review SharedServices_Security.log.

    If errors relate to group caching, ensure that the group URL and filter are set to accommodate group counts.

  • Review the Oracle Hyperion Financial Management logs. See "Financial Performance Management Applications Logs" in Using EPM System Logs.

  • If the interop web site redirects to the Java web application server, ensure that the authentication method is anonymous and that Windows integration authentication is not used.

Smart View Timeouts

Issue: Oracle Smart View for Office with Financial Management times out after about 30 minutes.

Solution: Try these procedures:

  • Run the Server and web configuration utility on the Financial Management web server, and change the web session timeout setting. (The default setting is 20 minutes.)

  • If the client is using the URL provider for Smart View (not the Shared Services provider), right-click for the properties of the HFMOfficeProvider virtual directory in IIS, and then click Configuration on the Virtual Directory tab. In the new window, click Options, and change the session state timeout setting.

  • Change the setting of the default web site.

Also check the timeout settings of the Default web site and the Smart View Provider settings in the FM Server and web Configuration.