1. Essbase Independent Deployment
  2. Secure Your Communication and Network
  3. About Securing Your Communication and Network

About Securing Your Communication and Network

Transport Layer Security (TLS) and its deprecated predecessor, Secure Sockets Layer (SSL) are cryptographic protocols designed to provide communications security over a computer network. TLS works in much the same way as SSL, using encryption to protect the transfer of data and information.

In general, authentication certificates include those signed by a certification authority (CA), or self-signed certificate (which requires additional configuration so that the client software "trusts" it).

TLS can be enabled during Essbase deployment configuration, or after Essbase configuration. For general information about TLS, see Transport Layer Security.

TLS Everywhere Secure Communication Topology and Components

The diagram below shows components and interfaces that are secured by TLS communication encryption. Essbase configuration includes the option of enabling TLS security configuration.

TLS Security Diagram

Security certificate storage used in the system:

  • JAVA CA Certificates Storage - stores all CA certificates, including self-signed ones (found using the Java Virtual Machine (JVM) trust store)
  • Client Wallet - storage used by C API clients for trusted certificates only; uses TSSNET protocol
  • Client's JRE Cacerts - cacerts file located inside JAVA runtime, contains all keys that this running JAVA instance will trust. This is an Essbase client in this runtime.
  • OVD Trusted JKS (Oracle Virtual Directory Trusted Java Key Storage) for trusted certificates for LDAP over TLS (LDAPS)
  • Platform - Oracle Platform Security Services (OPSS) - identity and trust storage for WebLogic for WebLogic certificates
  • Server Wallet - storage for both trusted and identity certificates, used by Essbase application servers (ESSSVR)

Clients:

  • MaxL (administrative scripting language) / ESSCMD (old Essbase command language)
  • C API Clients - custom C API clients
  • Java API Clients - trusted Java key storage (JKS) for client-trusted certificates

WebLogic Managed Server:

  • Platform - web service that provides access to database features, including REST API and Essbase web interface
  • Java Agent - Essbase Java Agent (JAgent), instance as a service that manages Essbase applications and security; controls start/stop of every application; controls access of various clients to applications; Platform is used in Java Agent as requested
  • Essbase Applications Server - service that performs different tasks regarding storing, calculating, activating data; it's a multidimensional analytic engine that performs all operations - all other components of this system are built only to provide access to this engine
  • C API Proxy - proxy service that can provide access directly to Java Agent and Essbase Applications Server; makes possible to connect to internal ESSNET services inside HTTP protocol; every client that supports this API proxy can work directly with Java Agent and Essbase Applications Server
  • WebLogic Security Client - service that you can configure for Java Agent and Platform to work as a bridge between different security services providers and all components in the system; uses LDAP protocol

Interfaces and Tools:

  • REST API and Essbase web interface
  • Essbase Command-line Interface tool (CLI)
  • 11g LCM Export Utility for migration

Security (LDAPS) Service Provider - can provide security services - indication and authentication (identity and trust) and also used for secure storage for identify and certificates

Protocols by which communication between components are secured:

  • HTTPS
  • ESSNET over TLS - Essbase proprietary networking protocol
  • XML PIPE over TLS
  • LDAPS