High Availability Strategy for Oracle EPM Version 11

•August 19, 2009 • 4 Comments

As EPM usage reaches global users, implementing Oracle EPM in a highly available fashion is becoming a major part of infrastructure planning.  Let’s go through a couple of key considerations when considering High Availability for your organization.

Are you sure?

The first question I ask clients is if they really need it.  I find that sometimes IT organizations are trying to start implementing load balancing and H/A as part of a “corporate standard” or some made up Sarbanes Oxley requirement.   In reality, in many cases unplanned downtime, although obviously not welcome, can be tolerated in organizations in the event of a catastrophic hardware failure.

The best bet is to work with the Finance to truly understand their availability times.  Then, take a look at your backup/recovery plan, and your  hardware vendor agreements for on-site emergency part replacement.  Some clients have a 2-hour guarantee field replacement by their hardware vendor, and even full replacement parts on-site.  Think of all the scenarios of unplanned downtime and apply a probability to it to accurately asses the total risk of a non-redundant implementation.

If that does not make you take pause – think cost.  A highly available installation will double your hardware cost and almost triple your implementation time.  There also could be additional licensing costs associated with redundant components.

Don’t try this at home

If after all of that and you decide that H/A is mandatory in your organization, go for it!  But beware – do not try this at home.  A Highly available installation should only be performed by an Oracle Certified infrastructure partner.

High Availability in EPM 11

The biggest change in Oracle’s stance for high availably in version 11 is the dropped support for all 3rd party clustering solutions such as Veritas Cluster Server and Microsoft Cluster Server. … which is quite unfortunate.  The only supported clustering methodology is Oracle Clusterware.  This is really bad news for those IT shops that already have an older system deployed on a different clustering technology. It also is especially frustrating because Oracle Clusterware requires the use of Oracle Cluster File System (OCFS) for shared disk resources….which on windows can take 5 minutes to failover. Nice.

Terminology

First lets talk terminology, at least how I will define these terms for the use of this posting.

High Availability
The ability to continue to provide computing resources in the event of a fatal hardware failure.

Cluster
Two or more linked machines that are used for Load Balancing and/or failover of services for high availability

Load Balancing
Distributing requests among multiple applications servers to evenly distribute load.  Many times a Load Balancer is used as the single entry point and it will distribute requests based on load of the individual servers or in a simple round-robin fashion. The nice thing about load balancing, is that most of the time, you also get High Availability.

Failover
The ability to automatically switch services to a standby server if the primary server fails.

The EPM Strategy for High Availability

Each component of the EPM enterprise has a different approach to H/A. Understanding how each component works determines the best methodology.  We implement H/A using the following as a guide.

1.)  Load Balance when you can

Load Balancing

Load balancing gives you the best of both worlds – distributing load for performance, and hardware fault tolerance.

This is naturally suited for Web Components.  Many of the BI Web components are, in essence, stand alone web sites packaged and contained in a Java Application Server (WebLogic, WebSphere, etc).  These sites simply respond to requests and can be load balanced.

  • Workspace
  • Web Analysis
  • Financial Reporting Web Components
  • Planning
  • Analytic Provider Services

2.)    Use product built-in clustering when you can

Some components have the built in concept of clusters, some have built in round robin load balancing. It’s best to take advantage of that when you can and let the product handle the high availability.

  • Built in Clusters (Must still supply a load balancer)
    • Financial Management
    • Financial Data Quality Management
  • Built in load balancing
    • Interactive Reporting
    • Production Reporting
    • PDF Print Server

3.)    3rd Party failover only when you have to

Cluster

Some of the other components of the EPM system do not load balance or cluster well.  I call these “The Highlanders” because there can be (or should be) only one.

HH

There can be only one Highlander

  • Foundation
  • Financial Reporting Scheduler Server
  • Essbase Administration Services
  • Essbase Integration Services
  • EPMA Dimension Server
  • Essbase Studio

Notes on Essbase

Sure if you look at the High Availability support matrix, Oracle is happy to say that Essbase can be clustered and Load Balanced.  But look closely… that is in read only mode only.  While there are a few situations a read-only Essbase cluster makes senses for an organization, I almost always see this limitation making the Essbase cluster solution useless. It certainly will not work for Planning.

To make matters worse, Oracle will not support 3rd party clustering of any kind on Essbase – not even Oracle Clusterware.  While this is supposed to be address in the next release in Sept/Nov, it leaves us little choice on the Essbase layer.

Our options are to:

Do it anyway. But just know that if Oracle determines that a support issue is related to the cluster, they have every right to insist that you demonstrate the issue without it in the mix before they will take responsibility.  However, for most behavioral or performance issues that you would call support about, Oracle should not know or even care that your Essbase is running on top of a cluster.

Do an active/Cold stand-by. In essence have a powered-off machine configured with the same hostname/IP address connected to the same shared disk resource as the active machine. Upon failure, there will be a manual process of shutting down the active server (if needed), dismounting the disk resource, starting up the cold server, mounting the disk resource, and bringing services online.

Notes on OBIEE

OBIEEI have to say that OBIEE is pretty flexible and robust for high availability.  There are many components to OBIEE, and each can be configured independently for load balancing as needed.  The problem is that each MUST be configured independently. The Flexibility is great, but it can be a challenge to set up for the novice.  And, I’m not sure how necessary it all is.  Popular methodology for OBIEE is to install all components on every server in the cluster and load balance between them.  It would be nice to have a more graphical, built in, approach to that…but in the mean time, we have loads of fun editing INI and XML files.

The point is that OBIEE can be fully redundant and fault tolerant, and using a certified partner, don’t be afraid to insist it in your organization.  It works.

If you would like to discuss H/A in your environment, please contact me.

Posted in Uncategorized
Tags:

Eric in Oracle Magazine

•August 17, 2009 • Leave a Comment

sep09_ocover_medium 

Check out the latest edition of Oracle Magazine.  Eric is featured in the Community section.

 

 

Here is the link: 

http://www.oraclemagazine-digital.com/oraclemagazine/20090910/?pg=35%26pm=2%26u1=002%26sub_id=aPtdEmyWInca

Posted in consulting, Documentation, EPM, Eric Helmer, Hyperion, Hyperion error, infrastructure, Oracle, System 9, The Hackett Group, Uncategorized

What I like and Dislike about Version 11

•July 5, 2009 • 2 Comments

My Favorite Version 11 Infrastructure related features:

  • Planning data source creation moved to workspace
    • No longer do you have to launch the config tool on the server to create a planning data source.
  • Essbase Archive Logging
    • It’s about time.  With version 11, you can replay and undo transactions with archive logging.  The best part:  point-in-time recovery of Essbase.
  • Integrated Installer with diagnostics
    • It’s nice to see more attention to the installation process.  We no longer need to be concerned with installation order.
  • Life Cycle Management.
    • Finally a working tool to promote objects from Dev->Test-> Production.  It even has a command line interface so you can script a data refresh processes.
  • Free Stuff!
    • Oracle is not offering Weblogic and Oracle Clusterware for free if you use it exclusively with the EPM product.  Saves a ton of cash and you get an enterprise class web application server.
  • Linux and 64-bit support
    • I’m excited to see Oracle become more Linux aware. We are now seeing many more products supporting Linux, making EPM an affordable solution for even the smallest of shops.
  • Better OBIEE integration.
    • It’s clear that this is the strategic direction.

Things that still bother me:

  • Not all products have been ported to Linux / Unix
    • We still have the need to use windows for some things.
  • 64-bit not really 64-bit?
    • installation can be problematic on some products.  Even though the docs say 64-bit is supported, many of the compiled binaries are still 32-bit.
  • Oracle Support
    • Support is still quite challenging.

Posted in Uncategorized

Catch Eric’s Session at Kaleidoscope

•June 4, 2009 • Leave a Comment

Kaleidoscope is an annual technically focused conference conducted by the ODTUG.  This year it will be in Monterey, CA June 21-25.  Check out the Website for more information:

http://www.odtugkaleidoscope.com/

Check out Eric’ session:

Upgrade Oracle Hyperion Planning from 9x to 11.1.1

Location: Cypress I & II
Time: Session 17, Thursday, 8-9am.

Learn how to successfully upgrade Hyperion Planning to 11.1.1 version. This presentation will describe how to install and configure the 11.1.1 release, migrate the application meta data and data, as well as users and business rules. This presentation will also include best practices description, which can help you successfully upgrade your planning environment. A brief 11.1.1 functional overview will also be provided.

If  you are going to attend Kaleidoscope… let me know!

Posted in Uncategorized
Tags: , , ,

The OAUG Hyperion SIG Meeting

•May 12, 2009 • Leave a Comment

Conferences like Collaborate are natural places for the Special Interest Groups (SIGS) to hold meetings, as members are normally spread across geographical regions.  Sunday evening, the OAUG Hyperion SIG met. It was kicked off by the current president, Ed Delise, who talked a bit about the accomplishments of the SIG over the last year.  The SIG has made some great progress and has matured quite a bit, although there is much more to do.  Luckily, we have a great team of energized and motivated board members that continue to make the Hyperion SIG the true “Home for Hyperion”.  Now more than ever – it is a great time to join. Web Membership is free.

The Major Take-aways….

  1. Ed Delise is stepping down as President. I strongly encourage customers who want to make a difference in the Hyperion Community to consider running for a board position.  Nominations close on May 6th.
  2. The Marketing and Communications Coordinator, Kristen Newman, announced that the OAUG has been in talks with Oracle to perhaps conduct a Hyperion EPM and BI only conference to give the BI Community their own conference.  (Sound familiar?  Solutions revisited?)  They were originally looking at possibly November for this, but I think the general consensus is that is a bit too aggressive.  I would bet that if this indeed comes to fruition, it will be more around Q1 2010.  Stay tuned.
  3. Ed Delise was given an appreciation award for his work on the SIG for the last two years.  Congratulations to him.
  4. Michael Schrader gave a 30 minute presentation on EPM in Trouble Times.  However, this seemed to be about the same content that was presented by John Kopcke a bit later.

Each domain lead gave a 5 minute domain update….  I will go over my updates as the Member Services Coordinator and Domain Lead for Infrastructure…

Member Services Coordinator Update

The Member Services update was covered by Ed, however here are the main take-aways…

1. The Hyperion SIG has created a new LinkedIn group which will be used for the official forum.  It is free to use for customers.

LinkedIn Group: OAUG – Hyperion SIG

http://www.linkedin.com/groups?gid=1834504

This group is intended for an open and free discussion as the home for Hyperion.  Job postings will be rejected. Please join!  It’s a great place to keep up with what is going on and a resource you can use to ask questions, seek assistance, and bounce ideas off of the user community.

2. Establishing a back-channel into Oracle. I am working very closely with Regina Robuck, Manager, Affiliate Communities with OAUG and Mark Conway, Director, Alliance for Performance Leadership at Oracle to establish a special channel to Oracle on behalf of the Hyperion SIG.  This channel can be used to communicate major issues, enhancement requests, bugs, etc to Oracle ad get solid feedback from them.  The channel can also be used for Oracle to provide important news and roadmap information back to the community.   Stay tuned for more information on that.

Infrastructure Domain Update

Version 11 is the most aggressive Enterprise-class EPM System that Oracle has ever produced.  Oracle has done a great job integrating the capabilities of the Hyperion Suite with the robustness of Oracle methodology.  Companies are now using Oracle EPM Solutions in global, mission critical capacities.  As such, the importance of a sound infrastructure is on the forefront of IT manager’s minds to ensure information delivery service levels.   More and more companies are rolling out Oracle EPM solutions in highly available fashions using clustering, 24-hour helpdesk monitoring, and follow-the-sun operations. Knowledge transfer and training of IT staff in the areas of monitoring, tuning, troubleshooting, backup/recovery, and scalability are the keys to successful implementations.

Current Trends in Hyperion Infrastructure

  • More customers are moving to version 11, but many waiting
  • Those that stay on 9.3 opt to install all the latest and greatest patches – worth it!
  • More multiple tier requests (ie DEV and TEST)
  • More interest in additional 3rd party support packages to supplement Oracle Support
  • Generally more involvement of IT department, mission critical
  • IT more involved in creating a proper path-to-production migration and change management policy/procedures
  • More attention to backup/recovery and disaster/recovery testing

Hot Topics in Infrastructure – Customized IT Training

  • Strive for an autonomous IT departmentDaily maintenance/system administration
  • Data flows, communities ports, security
  • Starting/stopping
  • Location of logs/troubleshooting
  • Backup/recovery
  • Monitoring, scaling
  • Migration

Hot Topics in Infrastructure – Business Continuance

  • Minimize downtime in crashes/disasters
  • Make use of Clustering technologies
    • Oracle Cluster Server (only in V11)
  • Load balancing
    • Web Services\Distribute load
    • maintenance with availability
  • Redundant Disk systems
    • SANS, mirrors, snapshots
  • Staging for scalability
    • DNS and virtual IPs
  • Version 11 Essbase archiving logs
    • Point in time recovery (finally)

Posted in Uncategorized
Tags: , ,

Another Collaborate conference is officially in the history books

•May 12, 2009 • Leave a Comment
Hackett Booth

Hackett Booth

The Collaborate Conference was held at the Orange County Convention Center in Orlando this year.  The facility is mammoth – which is great – there was plenty of room for everyone and things were well marked.   All of the Hyperion sessions were held in one almost secluded area.

We estimated there were about 200 attendants to the Collaborate conference that that were there for Hyperion….so you generally see the same people at least walking around in the Hyperion section.

OAUG

OAUG at Collaborate

That made it nice and easy for those to go from session to session without being rushed.  However, if you wanted to go to a session outside of the Hyperion track, you were in for quite a walk.  I attended a couple IOUG sessions around Oracle Cluster Server and felt like I should have taken a taxi.

There were some folks getting around on Segways and other electric scooters – I was quite jealous.

Attendance was low, as we expected.  In general we saw less people in each of the sessions and less activity in the booth and vendor area.  However, it was my experience that the customers that did attend were there for a reason and got a lot out of the conference.  In general, I think the conference provided attendants a way to learn and interact

John Kopke

John Kopcke

with partners that gave them some great ideas and lessons learns as they consider their upcoming Hyperion projects.

he sessions I attended were generally good quality.  I spent a lot of time going to roadmap and future state sessions, including John Kopcke’s Oracle’s Business Intelligence Strategy.  I also went to a couple OBIEE, case studies on using Oracle in virtualized environments, and Oracle Clusterware. My session on Mission Critical Hyperion environments went well too.

The lunch food was awful.  But the evening snacks were not bad.

LUNCH

Really?

Wednesday night was the conference outing to the Island Adventure Theme Park. They rolled out the red carpet and we all had exclusive access to the park for 3 hours. It was a great time as we experienced  all the theme rides over and over again.  Afterwords, it was a family reunion with a bunch of old friends:  Below is Sean Bernhoit, Maria Myers, Ash Jain, and Kelliann Hoelscher doing our best Spiderman impression.

Island Signred carpetThe gang

I look forward to Collaborate 10 – Las Vegas!

Posted in Uncategorized
Tags: , , , , ,

Dont Miss Eric’s upcomming presentation – Collaborate 09

•April 27, 2009 • Leave a Comment

Collaborate 09

Larger implementations of the Hyperion Enterprise Performance Suite are becoming more commonplace.  As corporations are turning to global integration and real time analytics, mission-critical 24-hour Hyperion applications must accommodate thousands of users worldwide.  This session will focus on large Hyperion implementations and include topics dedicated to achieving a global, highly available enterprise.  It will discuss clustering and fail-over techniques, load balancing, virtualization, disaster recovery, and implementing global users over wide area networks.

Don’t miss:

Mission Critical! Implementing Highly Available Global Hyperion Installations.

Collaborate 09 Conference, Orlando

When: Monday May 4th. 2:30 pm – 3:30
Room: W101A

Also, don’t forget the OAUG Hyperion SIG Meeting:

When: Sunday May 3rd. 3:30 pm – 5:45 pm
Room: W304C

Let me know if you are going to be at the conference!

Posted in Uncategorized

…And Knowing is Half the Battle

•March 1, 2009 • 1 Comment

nowyouknow

Dear Finance Manager:

So you decided to take the plunge and implement a shiny new Hyperion system 9 or 11 implementation. You have purchased your software, bought your hardware, hired a partner to install and configure the servers, and are ready to start designing all your great pie charts. You have trained your finance staff on how to load data, create dashboards, and email reports. That’s great!

But what about IT? You forgot about your IT department, didn’t you?

You have just rolled out an Enterprise class system and dumped it on an unsuspecting IT department who has not idea how to maintain and administer the system…..and you expect the system to be up and running 24/7, right? And you want to get your data back if someone accidently deletes something or the hard drive blows up, right? And you want them to fix it if there are problems and make it go faster when it slows down during your close process, right?

No way.

A modern day IT department is in charge of many systems – email systems, sales, databases, inventory, HR, Payroll, billing, web sites, etc…. all of which are very unique. Simply put, you cannot just throw an enterprise system on an IT department and expect them to have everything working smooth with no training. That’s not saying anything against your IT staff – I’m sure they are very talented, but complex corporate systems are just that – complex. Installing a system, getting it working, and getting finance up to speed is just half the battle….you need the other half – IT training.

There are many aspects to IT administration – Maintenance, Troubleshooting, automation, monitoring, capacity planning, backup/restore, business continuity and disaster planning, helpdesk integration, job automation, upgrades and patching, etc. While these concepts are common in IT, each corporate system has it’s own unique methods in dealing with these things, and Oracle/Hyperion is no exception.

We all have experienced the wonderful support calls within Oracle. My advice – don’t fall short with Infrastructure services. After the system is installed, take the time to get additional training that is specific to IT. I assure you that rolling out your system into production will go a lot smoother with a well trained IT staff.

Let’s face it…you want your system up and running, they want to sleep through the night without their cell phones and pagers going off.

Sure, you can get general training with Oracle Classes. But those assume a one server simple environment with ALL Oracle EPM products performed in an Oracle classroom on THEIR system with a bunch of different customers. Great for an intro, but modern day IT departments need to get up to speed fast and need the detail to perform their daily jobs and keep the systems delivering.

Some Oracle Partners, such as Hackett offer customized classes performed on YOUR site, on YOUR system, on YOUR products, in detail with YOUR IT staff.

Help your IT staff help you – even if god-forbid, the money has to come out of the Finance budget. 🙂

Feel free to contact me for more information.

Posted in Uncategorized

Are you still manually starting services????

•January 5, 2009 • 4 Comments

Starting and Stopping Services

One of the most confusing aspects of the Oracle-Hyperion Suite is the basic task of starting and stopping the services in the correct order.  Why is this so difficult?  Why is there no script? Why so many services?

It’s SOA

As with many enterprise class software packages, Oracle-Hyperion is based on a Service Oriented Architecture or SOA.  All components of the Hyperion Suite are glued together by a common foundation and protocols so all of the modules can interact with each other as needed.  What this means is that there is inherent flexibility in how one can design and architect an implementation.

If you wanted to (not that I would recommend it) you could install all of the modules and products on one machine. Or you can virtually install every component on separate servers in a mix-match of operating systems and configurations. This also allows some products to have multiple instances so that load balancing and scalability is possible. The point is that Oracle leaves it up to us to design an environment that meets our individual needs.

Unfortunately, that also means we have a lot of services and processes that we must maintain across many machines – all with dependencies to each other.  Visualizing the Hyperion foundation gives an insight into these dependencies so we can understand why the start order is so important – and it is.  I know that for many system admins, it is natural to simply set all services to automatically start at boot but, chances are, that is probably not going to work. Lets think of our foundation so we can start things in the correct order…

The relational database

The Relational database is the backbone of the Hyperion suite.  These are a set of databases (or schemas in Oracle) that hold metadata for the product. Shared Services, BI Plus, Essbase Administration Services, HFM, Planning, EPMA, ODI all have separate databases that are required to be up and running when the products are started, and should be started first.

Shared Services/OpenLDAP

Next is Shared Services.  When most products starts, they check in with Shared Services to get a handle on the location of vital components.  In some cases services will not even start if Shared Services is not running, and even if they do, they may not function.  Also remember, shared Services requires OpenLDAP. Be careful – Shared Services can take quite some time to fully come up…be sure to wait a few minutes to ensure it is all the way up before starting the other services.  Check by going to:  http://<HSS_HOST&gt;:58080/interop

The BI reporting and Analysis foundation – BI Core,  Workspace

For BI, the CORE process is key.  BI Core is the common foundation for all of BI and acts as a traffic cop for session management, etc.

EPMA (if applicable)

If you are using EPMA, now is the time to start it.

Essbase Related Services

  1. Essbase Server,
  2. Essbase Administration Services,
  3. Essbase Integration Services
  4. Provider Services

The rest of BI – reporting and Analysis – in this order

  1. Interactive Reporting
  2. Financial Reporting Services
    1. FR Server
    2. FR RMI
    3. FR Scheduler
    4. FR Print Server
    5. FR Web Server
  3. Web Analysis

The rest of the products (any order)

  • Planning and RMI Service
  • Hyperion Financial Management (HFM)
  • Strategic Finance
  • Performance Scorecard
  • Data Relationship Management (DRM)
  • Financial Quality Data Management(FDQM or FDM)
  • Data Integration Management (DIM)
  • Oracle Data Integrator
  • OBIEE

See the Hyperion System 9 install_start_here guide for locations of the start scripts for each of these services.  The stop order is the reverse of the start order.

Automating Start/Stop through scripts

Because of SOA, there are seemingly an infinite number of ways any given Hyperion implementation can be designed.  As such, there is no way Oracle can bundle a single start-all or stop-all script for you.

Obviously there are many advantages to having a script start and stop everything, most notably for nightly backups and scheduled maintenance.  In large environments covering a handful of machines, manually logging into each server and starting/stopping the services can be quite time consuming.

Most Hyperion IT admins create a script to start/stop the services, as needed in order. For windows, the “sc” command is popular.  The basic syntax is:

Sc \\hostname start|stop “Service Name”

For example a start_all.bat script could begin with the following:

echo Starting OpenLDAP
sc \\HSS_HOST start “OpenLDAP-slapd”
timeout /t 5
echo Starting Shared Services
sc \\HSS_HOST start “HyS9SharedServices”
timeout /t 200

For unix, the easiest way is to create rsh relationships (with .rhosts) between the machines and use rsh to execute remote commands on each server.

For example to start OpenLDAP:

rsh HSS_HOST <HSS_HOME>/openLDAP/startOpenLDAP.sh
sleep 5

Tips:

  • Create your scripts and play with the TIMEOUT/SLEEP values to optimize the speed but ensure all comes up correctly and functions.
  • Launch start processes in parallel when you can (background in Unix).  If there are no dependencies, there is no reason to start them one-by-one and wait.

Hands Off Administration

What if you want to have the Finance department start/stop services as needed, but you don’t want to give them access to the servers????  Common problem.

One way is the a product called Network Services Manager.  See http://www.networkservicesmanager.com/

This tool is a GUI tool that will allow non-technical personnel quickly and easily start/stop services and monitor the status of services on a machine without the need to log into the servers.  It can take some time and effort to set up, but once set up, it can make the life of a system admin much easier for environments such as a development environment that requires frequent service restarts.  Please let me know if you would like to demo NSM for purchase, I can get you a full-feature evaluation of the software and a significant discount.  ☺

Posted in Hyperion, Uncategorized
Tags: , , , ,

How Shared Services Works

•October 10, 2008 • 7 Comments

What Shared Services Does

Shared Services is a component of the “foundation services”.  It is the mechanism that provides a common framework for user security and administration.  It is the first component that is installed in an installation.  Once up and running, all Hyperion products and modules “plug-in” to this base.  Shared Services provides a single interface to:

  1. Define External Authentication providers (ie – corporate LDAP, MSAD, etc)
  2. Provision Users and Groups
  3. Life Cycle Management (promotion of artifacts between DEV and PROD)

Products communicate with Shared services though a common API which allows all the products to employ true single sign-on between the products.

Shared Services components

There are 4 major components of what we collectively call Shared Services:

  1. Shared Services web server.  The Web Server for the Shared Services communication and interface.  Default URL and port is http://<server&gt;:58080/interop
  2. Native Directory.  A small file-based OpenLDAP directory that comes with Shared Services to store provisioning information
  3. Relational Repository.  A small relational database (ie Oracle, SQL Server, etc) that stores location information
  4. Corporate External Authentication (optional).  Your (already existing) corporate external authentication mechanism.

If you do not have a corporate external authentication provider you can use the provided Native Directory to create users and passwords to provision.  However, doing this puts you into the password and account maintenance business. If you do have one, you will want to use it, as that will be taken care of for you. Shared Services will not store passwords of externally authenticated users, it simply forwards on the ID/Password combination to the provider for a thumbs-up or thumbs-down. You can have multiple user directories configured and set a search order for them.

The Native directory holds user IDs and Passwords of Natively authenticated users, provisioning information for all users, and tracks user-group relationships.  Again, this is stored in the OpenLDAP repository that comes with Shared Services. The OpenLDAP that comes with HSS  is a simple file-based database that is in LDAP format which runs on port 58089.  You can actually use an LDAP browser and connect to OpenLDAP and browse around using a base DN of dc=css,dc=hyperion,dc=com.

The relational component is a separate database (or schema in Oracle) that holds registration information about the products in the environment.

The following diagram summarizes the components.  Again, the corporate LDAP authenticates the user (are they who they say they are), the relational holds product registration information (can they access this particular product), and the native directory handles authorization (do they have permission to do what they are requesting to do in this product).

Provisioning users and Groups

The User Management console using the URL http://<server&gt;:58080/interop is used to provision users.  Provisioning is the process of granting access to users to certain products and services.  Here we browse through the users, and provision Henry for the BBB Essbase Application and the Finsrvs FDM application, and the TotPlan Planning Application.

Browse users

Show all users

Right click on Henry

Right click on Henry

Provision

Provision

The Process of Authentication

Once a product is registered with Shared Services, it receives and stores location of the user directories.  So when a user logs into a product, the process is as follows:

  1. The user enters the ID and Password into the product log-in screen
  2. The product queries all the configured user directories to verify the credentials.  Upon success, the user is authenticated.
  3. Once authenticated, the product contacts Shared Services to lookup the provisioning information of the user to see if the user has been given the access to the product and service.
  4. SSO is enabled for this user now for the rest of the products they are provisioned for.

What This Means for our System Administrator Brethren

  1. Shared Services must be the first to be installed and configured
  2. Shared Services must be the first to be started (along with OpenLDAP).  Note:  it can take a while for Shared Services to come up.  Make sure you wait a while and check that HSS is all the way up by going to the URL before starting the other services)
  3. Shared Services is a single point of failure for all Hyperion Products.
  4. You must be diligent in backing up Shared Services, including
    • Shared Services relational database
    • OpenLDAP (see the backup/recovery guide ….there is a utility that backs up the OpenLDAP directory)

Posted in Uncategorized
Tags: , , ,

« Previous Entries
Next Entries »