Jan 30, 2014

Top 5 Reasons to Upgrade to 11.1.2.3

With the release of new third party software and new features in the latest EPM version, we have been receiving questions from clients on why should they consider upgrading to the latest version of Oracle EPM which is 11.1.2.3

First of all, you may have heard from Oracle that the latest patch set update for Oracle EPM is due out in Q1 of this year which will be 11.1.2.3.500. It is said that this patch will introduce the long awaited support for IE10 among other things and perhaps support for Windows 2012.

Mostly from a technical perspective the top 5 reasons to upgrade are:

Reason 1: Support for IE10 and Windows 8.x

In the last few months, I have seen many IT departments starting to upgrade all client desktops to Windows 7 (sometimes Windows 8), IE10 and Office 2013. Although support for IE10 and Windows 8.x is still yet to be released, Oracle has mentioned in several places that the upcoming 11.1.2.3.500 patch will introduce this support. When? It’s anybody’s guess but they said they expect to release it by Q1 2014. With IE10 and Windows 8.x support comes support for FireFox 24 as well.  And could this also mean support for Windows 2012? We will just have to wait and see.

Reason 2: Support for Office 2013

The good news is that if you want to support Office 2013 you don’t have to upgrade your entire EPM environment, you only need to upgrade Smart View. The latest Smart View version is 11.1.2.5 and this is the version that supports all 11.1.2.x versions (11.1.2.1, 11.1.2.2 and 11.1.2.3). So if your IT department is upgrading all desktops to Office 2013, you want to include Smart View 11.1.2.5 as part of this upgrade. Again, this does not require you upgrade your EPM server environment, just the desktops.

Reason 3: Transform your legacy FDQM and ERPi apps to FDMEE

Probably one of the biggest reasons to upgrade for clients that use FDQM or ERPi is the ability to upgrade to FDMEE. Or maybe you use some archaic method for loading data into your planning applications (report scripts via batch scripts, etc.) you may still want to upgrade to take advantage of the new features introduced in FDMEE. If you want to read about FDMEE and integration with other new modules you can read Francisco's blog which has a wealth of information on this matter at http://akafdmee.blogspot.com

Reason 4: Introduce new modules

Starting with 11.1.2.2 and now with 11.1.2.3, Oracle has been introducing new modules like Account Reconciliation Manager that integrates with FDMEE. Other new modules include Project Based Planning and Tax provisioning. See below for a link to a complete list of new modules and features in EPM 11.1.2.3

Reason 5: Introduce new features on existing applications

EPM 11.1.2.3 introduced a lot of new features from Planning’s ability to use ASO cubes and HFM unlimited dimensionality to a myriad of enhancements to the LCM that allows for a much easier maintenance and migration of application artifacts between environments (and presumably versions). Other features like Smart View’s ability to update metadata, can be a little scarier but these need to be weighed and depending on your needs they will make a strong argument for upgrading to 11.1.2.3

For a complete list of features introduced in EPM 11.1.2.3 you can read the documents included in the following URL: http://docs.oracle.com/cd/E40248_01/index.htm


Jan 16, 2014

Essbase Clustering Part 1

Essbase clustering can be used in order to mitigate the risk of an Essbase server going down and affecting your Planning or Reporting application with it. When it comes to Essbase clustering, however, there is one commonly used method which is to use the Essbase clusters that can be configured via the main installation program.

These Essbase clusters are more like a “hot spare” configuration or active/passive. The problem with this approach is that you need to have two identical servers (ideally) but can only use one at a time not using any of the horsepower from the “passive” server.




In order to have a cluster of this type you will need to configure a Microsoft Cluster to monitor both servers, services and DNS entries. Configure a cluster disk (outside of the Essbase cluster) to store the Essbase data files (ARBORPATH) and configure opmn to monitor Essbase process running on both servers. Ideally, MCS will detect a down server and point the cluster name to the other server and switch the shared disk. Then OPMN will detect that Essbase is not running on the downed server and start it on the server that is still available.

Does this sound like a lot? There’s another option…

Another method of clustering is an active/active cluster, which can mitigate the risk of having only one Essbase server and also serve as a load balancer.The main “gotcha” for an active/active cluster is that you can not write back to it which is required for Planning applications. This is the reason this type of clusters is not as popular and is almost exclusively used with ASO reporting applications. Another gotcha of active/active clusters is that you have to build your cubes and load data on both servers. These need to be maintained in-sync in order to make sure that users being sent to one server see exactly the same as other servers in the cluster.

This method uses APS and the JAPI to establish server pools like so:




The main advantage for this setup is that you don’t have to configure any MS Clustering and you can treat each server individually with its own ARBORPATH’s. In EAS, each will show as an individual server with their own set of applications. On the downside, you will have to build each application on each server.

Again, this is most suitable for ASO applications or BSO apps that do not require write back (which rules out Planning) and can take advantage of the horse power of both servers at all times (unless a server goes down)

I will be writing two follow up posts on how to configure each type of cluster identified here.

That’s all folks!


Jan 14, 2014

Securing your EPM Installation with SSL (OHS terminated configuration)

You have many options to secure your EPM installation with SSL. One of which is to enable SSL terminated at the OHS layer. The graphic below shows how one can secure an OHS server surrounded by firewalls. Even though the purpose of this post is not to discuss security design, I felt it would be important to explain the difference between securing your environment with OHS terminated SSL and an SSL off-loader which are the two most commons methods for securing EPM.




The graphic above depicts how OHS can be enabled to communicate securely between end user and the web server. In this case all users would be directed to a secure URL (i.e. https://servername.host.com:19443/workspace/index.jsp)


The graphic above depicts how one can use a load balancer off-loader to secure your entire EPM environment. Just as with OHS terminated SSL configuration, you would be directed to a URL using HTTPS, the main difference is that you do not have to configure SSL within the EPM environment, just in the SSL off-loader.

Steps for enabling SSL

Wallet configuration


Open Wallet Manager and create a new Wallet specifying a password


Once you create the wallet it will prompt you if you want to create a CSR. You can either answer yes or generate your CSR at a later time if you answered no.



When creating the CSR make sure you use the FQDN of the server as the common name


At this point the request has been generated, so we want to save the wallet. By default, I always save my wallets outside of the Oracle EPM directory structure to make sure it doesn’t disappear after an upgrade or a patch. So I will save my wallet on E:\SSL. After saving your wallet, you will need to export the request and have it signed by either a private CA (your company would need to sign this) or pay someone to sign it (like VeriSign, Comodo, GoDaddy, etc). To export the CSR you can right click the Certificate and select “Export Certificate Request”



I saved the exported CSR on E:\SSL\epmlabapp.csr I will not cover the process of sending the CSR to a CA but I’m sure you understand what the process is, if not, you can ask a security admin to sign the certificate for you from an internal CA.

After the certificate has been signed you need to import it on the wallet. Right click the request and select “Import User Certificate”


If the CSR was correctly signed you will see the Certificate in the wallet look like the below screenshot (In my case, I used a bogus CA to sign my certificate request)



Note about certificates: If a self signed certificate is used or an internal certificate authority signed the certificate, you will need to ensure that the root CA that signed the certificate is trusted by all computers accessing the EPM URL’s. Otherwise, you will either get a warning message that the URL you are trying to open is not trusted or components just won’t work (i.e. Smart View, Reporting Studio, etc.)  A “wild card” certificate can also be used. This is a certificate where a CA has signed *.yourcompanyname.com so as long as your server resolves to something with that ending domain name you will be ok.

The last thing you need to do to the wallet is to enable the auto-login feature so you don’t have to enter a password every time you try to start OHS.


You can save and close the wallet.

OHS Configuration Steps


After you have configured the OHS wallet, it’s time to configure OHS to use this wallet to encrypt all communications. You will have to edit the following file (always remember to make backups):
E:\Oracle\Middleware\user_projects\FOUNDATION\httpConfig\ohs\config\OHS\ohs_component\ssl.conf. Change the path to the wallet on the following line:



to point to the location where the wallet you created lives, in my case:



Also, you need to include the ssl.conf file in the main httpd.conf file. The httpd.conf file is located in the same directory where ssl.conf is. You can edit it with your favorite editor and look for the following line:


and uncomment the include as follows:




After this things should’ve worked. However, in EPM 11.1.2.3 for some reason Oracle left out the other conf’s from the ssl VirtualHost directive, so you will need to add those to the ssl.conf file like so:


You can go to the end of the VirtualHost directive in the ssl.conf file and add the same four includes that are in the VirtualHost directive from the httpd.conf (at the end of the file)

Save both files and restart OHS and you should be able to access the EPM URL’s with SSL enabled.


If you get a red address bar, it’s because the certificate you installed is not trusted or not signed by a trusted CA and will have to be signed by a trusted CA or add the CA (if you trust it) to the computer’s certificate trusted CA’s.

That’s all folks