Moving from Native to External Authentication - Hyperion Shared Services

Hello Experts/John.
We are planning to move from native directory authentication to external (MSAD) authentication mechanism.
For that we have planned as below...
1) We will configure MSAD with our present Shared services.
2) Export the users using import-export utility from native directory.
      Replace the user's name in csv file with their respective AD user name. This will get modified along with the group/roles.
      Re-load the modified csv file so that new users will come into effect.
3) Change the authentication preferences.
4) Remove the passwords from the native directory, so that all authentication happens thru AD and basis roles that are stored
in shared services users will able to see respective application with their desired priv.
As I said this the approach we are thinking. Kindly suggest us whether we are on right path or this will cause any problem in production..
We are on using EPM 11.1.1.3 on Win 2003 platform.
Seeking your guidance.
Thanks

Forget to mention that we are currently working on EPM 11.1.1.3 version on win 2003 environment...

Similar Messages

  • Migrating Security from Native to External Authentication mode Servers

    Hi All,
    I am migrating applications from V7, V9 (doesn't use Shared services) to V11 (Shared Services Enabled) Essbase server.
    I am able to migrate the application definition using the Application Migration Wizard.
    Take level-0 export from the source server & load on the target server & do the default-calc or series of custom calcs depending upon the application's maintenance process.
    Using the Application Migration wizard, we can also migrate security only if both Source & Target servers use Native Authentication mode.
    This can be ruled out in my case as only Sources are native & Target is Shared services enabled.
    Here are few tools available to do bulk provisioning on a Shared Services enabled Essbase application -
    1. MAXL - Works great - But too tedious to create the MAXL statements based on the security definitions on the Source servers.
    2. CSS Import-Export utility - I heard it works only when both Source & Target are Shared services enabled. Can this be used for my case. Also heard many didn't find success with this one.
    3. LCM - Not sure if this can be used for security.
    Are there any other utilities?
    Has anyone done similar migrations before? Please let me know the best practice to do this.
    Appreciate your thoughts.
    -Ethan.

    It is much easier to go about that method, it is not always 100% successful with groups/users but gets most done.
    If you are past that stage then maybe try using the advanced security manager to extract security from your source environment.
    Then you could use the CSSImportExport Utility, first create a template from the information you extracted from your source and then run use the utility to provision users in the new environment.
    There are obviously other ways but that is the way I would prefer if using Shared services security.
    Cheers
    John
    http://john-goodwin.blogspot.com/

  • Moving users from one server to another using Shared Services

    How do you migrate users and groups from one server to another from Hyperion Shared Services in version 9.3.1?
    When users were provisioned from EAS on version 7.x we could use Migration Utility but now since users are provisioned using Shared Services, what is the approach to be followed?

    Someone will probably give you a real-world example of how to do it, but to get you started you may want to review the Hyperion Security Administration guide, section "Migrating Native Directory" which discusses that you need to first install the Import/Export Utility on your Shared Services server, then create an export file, then go to your target Shared Services Server and long story short, import it.
    -Karen

  • AD authentication against Shared Services failing randomly

    We're seeing random failures in AD authentication against Shared Services both via the Excel Addin and via Maxl scripts.
    SQL server (v 10.50.2500), Shared Services and OHS (v 11.1.2.2.303), and Essbase server (v11.1.2.2.104) are installed on the same physical box (16 cores, 192GB RAM) in a single-server configuration. It happens every few days at no fixed time and is resolved either by itself in a few hours, or by stopping and starting EPM services (Hyperion Foundation Services - Managed Server, OPMN service for Essbase, and OPMN service for OHS are stopped by running <Middleware_Home>\user_projects\epmsystem1\bin\stop.bat, and started by running start.bat).
    While the AD authentication is down, nobody is able to connect (via the Excel Add-in or Maxl scripts) using their AD accounts and get the following error - "Analytical Services user [AD_user1] Authentication Fails against the Shared Services Server with Error [EPMCSS-00301: Failed to authenticate user. Invalid credentials. Enter valid credentials.]". Native authentication works at all times (even when AD authentication fails).
    Although it seems to apply to an older version and to Planning/Workspace, we did look into "Error "EPMCSS-00301: Failed To Authenticate User. Invalid credentials" Intermittently When MSAD User Logs Into Workspace. (Doc ID 1389871.1)". But even after making the suggested changes, the problem persists. Any ideas what might be causing AD authentication to fail randomly like this? Below are some relevant portions of the logs -
    From ESSBASE_ODL.log -
    [2014-01-10T04:41:06.693-05:00] [ESSBASE0] [ERROR:32] [AGENT-1440] [] [ecid: 1388972435616,0] [tid: 6312] Essbase user [hyperion_admin] Authentication Fails against the Shared Services Server with Error [EPMCSS-00301: Failed to authenticate user. Invalid credentials. Enter valid credentials.]
    [2014-01-10T04:41:06.693-05:00] [ESSBASE0] [WARNING:1] [AGENT-1003] [] [ecid: 1388972435616,0] [tid: 6312] Error 1051440 processing request [Login] - disconnecting
    From SharedServices_Security_Client.log -
    [2014-01-10T04:39:00.490-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20330] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheManager] [SRC_METHOD: getCache] Cache refresh started asynchronously. This is a status messages. No action required. [2014-01-10T04:39:42.547-05:00] [EPMCSS] [ERROR] [EPMCSS-07047] [oracle.EPMCSS.CSS] [tid: 150] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to get connection  from connection pool for user directory AD. Error executing query. adweilcom:389. Verify user directory configuration.
    [2014-01-10T04:39:42.547-05:00] [EPMCSS] [ERROR] [EPMCSS-09102] [oracle.EPMCSS.CSS] [tid: 150] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to initialize group cache for MSAD user directory AD. Error connecting to url. ad.weil.com:389. Verify MSAD user directory configuration.
    [2014-01-10T04:39:42.547-05:00] [EPMCSS] [ERROR] [EPMCSS-00107] [oracle.EPMCSS.CSS] [tid: 150] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.CSSManager] [SRC_METHOD: pingConfiguredProviders] Failed to refresh group cache. Some of configured user directories not initialized [AD]. Verify user directory configuration.
    [2014-01-10T04:39:42.547-05:00] [EPMCSS] [WARNING] [EPMCSS-10029] [oracle.EPMCSS.CSS] [tid: 150] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: run] Exception while building asynchronous group cache for user directory. EPMCSS-00107: Failed to refresh group cache. Some of configured user directories not initialized [AD]. Verify user directory configuration.. Verify Shared Services security user directory configuration.
    [2014-01-10T04:40:24.605-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to authenticate user. Invalid credentials. Enter valid credentials.
    [2014-01-10T04:40:24.605-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to authenticate user. Invalid credentials. Enter valid credentials.
    [2014-01-10T04:41:06.662-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to authenticate user. Invalid credentials. Enter valid credentials.
    [2014-01-10T04:41:06.662-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to authenticate user. Invalid credentials. Enter valid credentials.
    [2014-01-10T04:41:06.693-05:00] [EPMCSS] [WARNING] [EPMCSS-10033] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.facade.impl.CSSAbstractAuthenticator] [SRC_METHOD: authenticateUser] Skipping user directory {0} failed to communicate with server. {1}. No action required.
    [2014-01-10T04:41:06.693-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.facade.impl.CSSAbstractAuthenticator] [SRC_METHOD: authenticateUser] Failed to authenticate user. Invalid credentials. Enter valid credentials.
    From console~Essbase1~EssbaseAgent~AGENT~1.log -
    [Fri Jan 10 04:40:22 2014EPMCSS-00301: Failed to authenticate user. Invalid credentials. Enter valid credentials.               
    at com.hyperion.css.facade.impl.CSSAbstractAuthenticator.authenticateUser(CSSAbstractAuthenticator.java:658)
    at com.hyperion.css.facade.impl.CSSAPIAuthenticationImpl.authenticate(CSSAPIAuthenticationImpl.java:69)               
    at com.hyperion.css.facade.impl.CSSAPIImpl.authenticate(CSSAPIImpl.java:102)               
    at com.hyperion.css.facade.impl.CSSAPIImpl.login(CSSAPIImpl.java:794)               
    at com.hyperion.css.facade.CSSAPIFacade.login(CSSAPIFacade.java:776) ]
    Local/ESSBASE0///9180/Info(1042059)

    Server times are in sync. In fact, we see no such issues on the 9.3.1 environments (which are in the same server farm as the 11.1.2.2 environments).
    We're using the same MSAD configuration we have in the 9.3.1 environments as follows -
    Directory Server: Microsoft
    Name: AD Host Name: ad.mycompany.com
    Port: 389
    SSL Enabled: unchecked
    Base DN: DC=ad,DC=mycompany,DC=com
    ID Attribute: objectguid (greyed)
    Maximum Size: 200
    Trusted: checked
    Anonymous Bind: unchecked
    User DN: ad\hyperion_admin
    Append Base DN: unchecked
    User RDN: blank
    Login Attribute: cn
    First name Attribute: givenName
    Last name Attribute: sn
    Email Attribute: mail
    Object Class: person,organizationalPerson,user
    Support Groups: checked
    Group RDN: OU=groups
    Name Attribute: CN
    object class: group?member
    I also tried disabling AD groups (Support Groups = unchecked), but I still see a random AD authentication failure. Below are logs based on automated retrievals using an AD account at 14:37, 17:37, 20:37 and 21:40 today. The first 2 worked fine, the 3rd failed, the fourth worked fine again. From SharedServices_Security_Client.log -
    [2014-01-11T14:37:00.574-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20330] [oracle.EPMCSS.CSS] [tid: 42] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheManager] [SRC_METHOD: getCache] Cache refresh started asynchronously. This is a status messages. No action required.
    [2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 43] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory Native Directory. Status message. No action required.
    [2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 43] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory AD. Status message. No action required.
    [2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20008] [oracle.EPMCSS.CSS] [tid: 44] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.MSADProvider] [SRC_METHOD: createCache] Group support is disabled for MSAD user directory AD returning empty cache map. Status message. No action required.
    [2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 44] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory AD and size of group cache is 0. Status message. No action required.
    [2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 45] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory Native Directory and size of group cache is 19. Status message. No action required.
    [2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20331] [oracle.EPMCSS.CSS] [tid: 43] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Cache building is done for the providers, now started unifying the cache. This is a status messages. No action required.
    [2014-01-11T14:37:01.151-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20332] [oracle.EPMCSS.CSS] [tid: 43] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Unify cache done and cache object set to the cache manager. This is a status messages. No action required.
    [2014-01-11T17:37:00.752-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20330] [oracle.EPMCSS.CSS] [tid: 46] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheManager] [SRC_METHOD: getCache] Cache refresh started asynchronously. This is a status messages. No action required.
    [2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 47] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory Native Directory. Status message. No action required.
    [2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 47] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory AD. Status message. No action required.
    [2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20008] [oracle.EPMCSS.CSS] [tid: 48] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.MSADProvider] [SRC_METHOD: createCache] Group support is disabled for MSAD user directory AD returning empty cache map. Status message. No action required.
    [2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 48] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory AD and size of group cache is 0. Status message. No action required.
    [2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 49] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory Native Directory and size of group cache is 19. Status message. No action required.
    [2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20331] [oracle.EPMCSS.CSS] [tid: 47] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Cache building is done for the providers, now started unifying the cache. This is a status messages. No action required.
    [2014-01-11T17:37:01.361-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20332] [oracle.EPMCSS.CSS] [tid: 47] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Unify cache done and cache object set to the cache manager. This is a status messages. No action required.
    [2014-01-11T20:37:00.634-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20330] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheManager] [SRC_METHOD: getCache] Cache refresh started asynchronously. This is a status messages. No action required.
    [2014-01-11T20:37:42.707-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to authenticate user. Invalid credentials. Enter valid credentials.
    [2014-01-11T20:37:42.707-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to authenticate user. Invalid credentials. Enter valid credentials.
    [2014-01-11T20:38:24.748-05:00] [EPMCSS] [ERROR] [EPMCSS-07047] [oracle.EPMCSS.CSS] [tid: 51] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to get connection  from connection pool for user directory AD. Error executing query. adweilcom:389. Verify user directory configuration.
    [2014-01-11T20:38:24.748-05:00] [EPMCSS] [ERROR] [EPMCSS-09102] [oracle.EPMCSS.CSS] [tid: 51] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to initialize group cache for MSAD user directory AD. Error connecting to url . ad.weil.com:389. Verify MSAD user directory configuration.
    [2014-01-11T20:38:24.748-05:00] [EPMCSS] [ERROR] [EPMCSS-00107] [oracle.EPMCSS.CSS] [tid: 51] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.CSSManager] [SRC_METHOD: pingConfiguredProviders] Failed to refresh group cache. Some of configured user directories not initialized [AD]. Verify user directory configuration.
    [2014-01-11T20:38:24.748-05:00] [EPMCSS] [WARNING] [EPMCSS-10029] [oracle.EPMCSS.CSS] [tid: 51] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: run] Exception while building asynchronous group cache for user directory. EPMCSS-00107: Failed to refresh group cache. Some of configured user directories not initialized [AD]. Verify user directory configuration.. Verify Shared Services security user directory configuration..
    [2014-01-11T20:39:06.806-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to authenticate user. Invalid credentials. Enter valid credentials.
    [2014-01-11T20:39:06.806-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to authenticate user. Invalid credentials. Enter valid credentials.
    [2014-01-11T20:39:06.806-05:00] [EPMCSS] [WARNING] [EPMCSS-10033] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.facade.impl.CSSAbstractAuthenticator] [SRC_METHOD: authenticateUser] Skipping user directory {0} failed to communicate with server. {1}. No action required.
    [2014-01-11T20:39:06.806-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.facade.impl.CSSAbstractAuthenticator] [SRC_METHOD: authenticateUser] Failed to authenticate user. Invalid credentials. Enter valid credentials.
    [2014-01-11T21:40:41.799-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20330] [oracle.EPMCSS.CSS] [tid: 52] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheManager] [SRC_METHOD: getCache] Cache refresh started asynchronously. This is a status messages. No action required.
    [2014-01-11T21:40:41.986-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 53] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory Native Directory. Status message. No action required.
    [2014-01-11T21:40:41.986-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 53] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory AD. Status message. No action required.
    [2014-01-11T21:40:41.986-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20008] [oracle.EPMCSS.CSS] [tid: 54] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.MSADProvider] [SRC_METHOD: createCache] Group support is disabled for MSAD user directory AD returning empty cache map. Status message. No action required.
    [2014-01-11T21:40:41.986-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 54] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory AD and size of group cache is 0. Status message. No action required.
    [2014-01-11T21:40:42.002-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 55] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory Native Directory and size of group cache is 19. Status message. No action required.
    [2014-01-11T21:40:42.002-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20331] [oracle.EPMCSS.CSS] [tid: 53] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Cache building is done for the providers, now started unifying the cache. This is a status messages. No action required.
    [2014-01-11T21:40:42.080-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20332] [oracle.EPMCSS.CSS] [tid: 53] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Unify cache done and cache object set to the cache manager. This is a status messages. No action required.

  • Hyperion Shared Services Error

    Guys,
    I had configured MSAD external authentication in Hyperion Shared Services 9.3.1. I am also able to see the groups and users in the shared services.
    I provisioned one of the group with Essbase Admin, and HSS Admin. but when i tried to login to the Shared services with a userID in that group, HSS is showing the error "User: XXXX, not found"
    CSS.xml file seems to be fine to me. Users in Native authentication are working fine.
    - <css>
    - <hub location="http://HSS-Server:58080">
    <dirPort>58089</dirPort>
    </hub>
    - <spi>
    - <provider>
    - <native name="Native Directory">
    <password>{CSS}4N6lVcgiE/dGr8rFdvQLcA==</password>
    </native>
    - <msad name="XXXXX">
    <vendor>Microsoft</vendor>
    <trusted>true</trusted>
    <url>ldap://MSAD-server:389/DC=xxx,DC=xxxx,DC=com</url>
    <userDN>YYYYYYYYYYYYYYYY</userDN>
    <password>{CSS}VBLEOOfJ6ucg4ybH9z9PvQ==</password>
    <authType>simple</authType>
    <maxSize>100</maxSize>
    <identityAttribute>ObjectGUID</identityAttribute>
    <identityAttributeType>Octet String</identityAttributeType>
    - <group>
    <useGroups>true</useGroups>
    - <objectclass>
    <entry>group?member</entry>
    </objectclass>
    <url>OU=yyy</url>
    <nameAttribute>cn</nameAttribute>
    </group>
    </msad>
    </provider>
    </spi>
    - <searchOrder>
    <el>XXXX</el>
    <el>Native Directory</el>
    </searchOrder>
    - <token>
    <timeout>480</timeout>
    </token>
    - <logger>
    <priority>WARN</priority>
    </logger>
    - <delegatedUserManagement>
    <enabled>false</enabled>
    </delegatedUserManagement>
    </css>
    Any help is much appreciated.
    AB

    As informed earlier you could refer this link http://www.oracle.com/technetwork/middleware/bi-foundation/hyperion-supported-platforms-085957.html which will have the corresponding version support matrices (In your case 9.3.1 or 9.3.3) which will help you to find out which OS and which browsers can be used.

  • OBIEE 11.1.1.6.2 BP1 authentication through Shared Services EPM 11.1.2 .2

    Hi,
    Any idea how to get the authentication in OBIEE through Shared Services to work?
    We use Native Directory and MSAD in SS, hence we need to get the authentication through Shared Services.
    We were able to run this on EPM 11.1.1.3 through LDAP server of Shared services port 28089, surely not working now.
    I've tried both of the following but still no luck:
    http://gerdpee.wordpress.com/2011/06/17/oracle-weblogic-and-hyperion-shared-services-11-1-1-3/
    http://gerdpee.wordpress.com/2011/06/17/integration-sort-of-of-obiee-11-1-1-5-and-hyperion-shared-services-11-1-1-3/
    Please help. Many thanks!!!
    Cheers,
    Steve

    Hi Steve,
    I have not been through this, but hope this helps you though. While we run the System configurator Wizard (EPM 11.1.1.2), we are now having an option to integrate EPM with OBIEE. Have you given it a shot?
    I am just thinking, if we could had it configure for us, we could directly access the Subject Areas from OBIEE, just like what Mark had mentioned here : http://www.rittmanmead.com/2009/01/epm-workspace-111-and-obiee-10134-updated/
    You could further look into the "SSO using CSS Token" field in the connection pool, too.
    Hope this helps and I will let you know, if I have any other information.
    Thank you,
    Dhar

  • Re: OBIEE 10.1.3.4.1 integration with Hyperion shared services 11.1.1.3

    I am working on OBIEE authentication using hyperion shared services. To achieve this I did the following steps,
    1) Registered the shared services in Answers using 'Manage EPM workspace'
    2)Modified config.xml to enable HSSauthenticator
    3)Modified instanceconfig.xml by adding external auth tags
    4)In rpd created a init block using custom authenticator.
    When I login into Answers using a username and password from hyperion shared services, it is saying invalid username/password.
    Log file says ' xxxxxx authentication failed in repository star, Odbc driver returned an error (SQLDriverConnectW)'
    Can some one explain me if I am missing anything here?? Is there anyone who has successfully implemented this before.
    Thanks,
    Sandeep

    Sandeep,
    I am fairly certain that this integration actually works in the other direction.
    That is from the Oracle Hyperion Workspace portal you need to log in and once you are in Workspace from the file menu an option for "Oracle Interactive Dashboards" should be available if all is configured correctly with the integration. That link will open up OBIEE and take the user directly into the dashboards without having to get prompted by the OBIEE login screen.
    If you have the BIC2Go image (Dan Vlamis' team, vlamis.com) for Oracle BI 10g you can see this integration's configuration and see it working correctly.
    I hope that helps

  • Troble configuring Hyperion Shared Services with SQL Server 2005

    I recently installed SQL server (SQL SERVER 2005) in my machine and then am trying to install Hyperion (9.3.1) products. I started with Shared services. It was installed successfully. Problem is occuring when am trying to configure Shared service with SQL database using Hyperion Configuration utility (9.3.1)
    The error which is popping up is
    Unable to connect to the database for the product Hyperion Shared Services.
    Things which I tried from my end
    1. Made sure TCP IP Protocol was enabled in SQL server configuration server.
    2. hypuser was created in SQl server.
    3. hypdb was created in SQL server.
    4. Was having dynamic IP address so install Loopback adapter to obtain Static IP address and port.
    5. Port and IP address was correct.
    Let me know where I am going wrong.
    Any help will be greatly appreciated.

    Finally got it fixed firewall settings needed to be change : This document helped me a lot to troubleshoot the issue
    An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) (Microsoft SQL Server, Error: 2)
    This problem may occur when SQL Server 2005 is not configured to accept incoming local and remote connections, which is disabled by default in SQL Server 2005 Express Edition, SQL Server 2005 Developer Edition and also SQL Server 2005 Enterprise Edition. To solve the connection forbidden problem, SQL Server 2005 needs to configure to allow incoming local and remote connections.
    Firstly, ensure that SQL Server 2005 is configured properly to allow incoming connections on the instance of database server, else enable and turn on the local and remote connections setting.
    Click Start button, then go to Programs or All Programs, then select Microsoft SQL Server 2005, followed by Configuration Tools. Click and run the SQL Server Surface Area Configuration.
    On the “SQL Server 2005 Surface Area Configuration” page, click Surface Area Configuration for Services and Connections.
    On the “Surface Area Configuration for Services and Connections” page, expand Database Engine tree, click Remote Connections.
    Select Local and remote connections, or Local connections only which applicable only if there is no remote system tries to connect to the SQL Server, useful when you just trying to connect and authenticate with the server after installing.
    Select the appropriate protocol to enable to local and/or remote connections environment. To ensure maximum compatibility, select Using both TCP/IP and named pipes.
    Click Apply button when done.
    Click OK button when prompted with the message saying that “Changes to Connection Settings will not take effect until you restart the Database Engine service.”
    On the “Surface Area Configuration for Services and Connections” page, expand Database Engine, then click Service.
    Click Stop button to stop the SQL Server service.
    Wait until the MSSQLSERVER service stops, and then click Start button to restart the MSSQLSERVER service.
    Secondly, SQL Server Browser service has to be enabled to allow for local and remote connections if SQL Server 2005 is running by using an instance name and users are not using a specific TCP/IP port number in the connection string.
    Click Start button, then go to Programs or All Programs, then select Microsoft SQL Server 2005, followed by Configuration Tools. Click and run the SQL Server Surface Area Configuration.
    On the “SQL Server 2005 Surface Area Configuration” page, click Surface Area Configuration for Services and Connections.
    On the “Surface Area Configuration for Services and Connections” page, click SQL Server Browser.
    Select Automatic as the Startup type to start SQL Server Browser service automatically every time system starts.
    Click Apply button.
    Click on Start button to start the service immediately.
    Click OK button.
    Finally, if remote computer needs to connect and access SQL Server, an exceptions in Windows Firewall included in Windows XP SP2 (Service Pack 2), Windows Server 2003 and Windows Vista needs to be created. If you’re using third-party firewall system, the exception rules also needed to be created to allow external remote connections to the SQL Server 2005 and SQL Server Browser Service to communicate through the firewall, else connections will be blocked. Consult the firewall manual for more details. Each instance of SQL Server 2005 must have its own exception, together with an exclusion for SQL Server Browser service.
    SQL Server 2005 uses an instance ID as part of the path when you install its program files. To create an exception for each instance of SQL Server, you must identify the correct instance ID. To obtain an instance ID, follow these steps:
    Click Start button, then go to Programs or All Programs, then select Microsoft SQL Server 2005, followed by Configuration Tools. Click and run the SQL Server Configuration Manager.
    In “SQL Server Configuration Manager”, click the SQL Server Browser service in the right pane, right-click the instance name in the main window, and then click Properties.
    On the “SQL Server Browser Properties” page, click the Advanced tab, locate the instance ID in the property list.
    Click OK button.
    Then create an exception for SQL Server 2005 in Windows Firewall.
    Click on Start button, the click on Run and type firewall.cpl, and then click OK. For Windows Vista, type firewall.cpl in Start Search box and press Enter key, then click on Allow a program through Windows Firewall link on left tasks pane.
    In “Windows Firewall”, click the Exceptions tab, and then click Add Program.
    In the “Add a Program” window, click Browse button.
    Click the C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe executable program, click Open button. MSSQL.1 with is a placeholder for the instance ID that is obtained from previous procedure. Note that the path may be different depending on where SQL Server 2005 is installed.
    Click OK button.
    Repeat steps 1 through 5 for each instance of SQL Server 2005 that needs an exception.
    For SQL Server Browser service, locate the C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe executable program, and click Open button.
    Click OK button.

  • Hyperion Shared Services (WebHal) user retrieval - slow

    Hi,
    I applied the Hyperion Shared service patch 9.3.1
    After that i am noticing a significant decrease in the user retrieval response time.
    Will deleting the users help me in any way ?
    Could you anyone point me as to how could i increase the response time ?
    Thanks,
    COldFIre
    Edited by: coldfire on Sep 15, 2010 9:17 PM

    Did you notice this behavior with nativ openldap or with an external directory ?

  • Hyperion Shared Services Active Directory

    Gurus, i am an Essbase Developer and currently have an issue where the users in the Hyperion Shared Services Active Directory does not reflect the true number of users actually on the company network.
    Whilst new employees created in the company flow through correctly into Hyperion Shared Services, those who have left the company still show in Hyperion Shared Services, even though they have been deleted from the network. Its as if newly created users synchronize perfectly into the Hyperion Shared Services Active Directory, but the deletion of users does not flow through.
    Has anyone experienced this?
    Thanks

    Hi,
    You are fecthing the user ids from Active Directory just to reduce lot of manual effort of creating native ids for all the user and also a security part its suggested to use Active Directory.
    Now how can you say that id is still active in AD, the user who had left the company his id would be already inactive even though you are able to query the user and provision on his id or add him/her to a group that has provisions will not be able to login as their id is made inactive.
    If you want to remove them automatically from Essbase or Shared Services automatically when their id gets disabled it wont happen as provisioning information etc lies with Shared Services and just to authenticate a valid user AD comes into picture .
    If you want to eliminate users from accessing the system whose id is disabled is to change your AD configuration in Shared Services based on the inputs from your AD team such that where does the disabled id go into (ex : which OU etc..) and configure accordingly which should work.!!! now if you want to eliminate them from Essbase unprovision them/their ids and run security refresh .
    Thanks
    Amith

  • Hyperion Shared Services Export

    Hello All,
    I need to export Hyperion Shared services, I know about CSSEXPORT.bat utility but i am not sure how to run, we are using Hyperion Planning, Essbase FDM APS, Smart view, FR and some other tools and I need to export either in xml file or CSV, if is there any other option i can use or how i can run from CMD prompt. We used Hyperion System 9.3.1
    Any help would be great.
    Thank you,
    T.Khan

    You can call CSSEXPORT.bat script using following statement
    Call CSSExport.bat importexport.properties
    Make sure your importexport.properties file is present in the same location as CSSExport.bat files
    format of importexport.properties file needs to like this
    Send me your email id and I can send you a document on import/export utlity for version 9.3.1
    #import export operations
    importexport.css=file:/C:/Hyperion/deployments/Tomcat5/SharedServices9/
    config/CSS.xml
    importexport.cmshost=localhost
    importexport.cmsport=58080
    importexport.username=admin
    importexport.password={CSS}MRcYv323uzxGr8rFdvQLcA==
    importexport.enable.console.traces=true
    importexport.trace.events.file=trace.log
    importexport.errors.log.file=errors.log
    Import/Export Utility 3
    importexport.locale=en
    # importexport.ssl_enabled = true
    # export operations
    export.fileformat=xml
    export.file=C:/exportNew.xml
    export.internal.identities=true
    export.native.user.passwords=true
    export.provisioning.all=true
    export.delegated.lists=false
    export.user.filter=*@Native Directory
    export.group.filter=*@Native Directory
    export.role.filter=*
    export.producttype=HUB-9.2.0
    #export.provisioning.apps=(HUB=Global Roles)
    # import operations
    import.fileformat=xml
    import.file=C:/exportNew.xml
    import.operation=update
    import.failed.operations.file=c:/failed.xml
    import.maxerrors=0

  • Creating data server for Hyperion Shared Services (HSS)

    Hey Gang,
    Has anyone had experience in creating a Data Server for Hyperion Shared Services (HSS) using the java API? I know HSS uses Native Directory, but to be compliant the Hyperion folks recommend using the java API strictly to get access to the users, groups, etc.
    Anyone have experience with this, or perhaps at least how to get ODI to kick off a java file to pull the data needed? What effort would be needed in ODI, is it straight forward or would I have to develop a technology or something to integrate into ODI?
    Thanks.

    Thanks for the quick reply John. I am trying to get user and group information, and also doing some complex manipulation. I need this to verify user access and some other stuff. I will not always have access to HSS and cannot always export the information, thus the need to use the HSS java API.
    I'm trying to pull it out of HSS and put it into an Oracle table in a standard format where I'll use the information and do reporting off of it. I've developed a java class that does migrates the data over, but its crude and I'd like to move it into ODI with some of our projects that are currently doing the same thing with other ERP such as Ebiz and Peoplesoft.
    If I can recode some of the java in ODI, how would I go about doing that. Where would I include the libraries, etc.? is there a tutorial or a place where I can get started on that.
    Thanks for all the help.

  • Security issue-Hyperion shared services console

    Hi,
    I want a user to access worspace planning but not EAS.
    how to do with hyperion shared services console.
    Regards,
    DK
    Edited by: 972210 on Nov 20, 2012 5:19 AM

    Yes, the user has the Provisioning role and can edit and save user roles, but they cannot update native groups that users are assigned too.

  • Hyperion shared services error 1051522 - Analytical Services failed to get

    Hi All,
    When I am trying to resync my securioty from HSS 11.1.1.1 to my essbase 9.3.1 I am getting this folowing error.
    hyperion shared services error 1051522 - Analytical Services failed to get group's member tree with Error MSAD porvider could not be contacted
    I have already checked for any corrupt application on essbase but alll the esssbase apps are fine.
    Any help would be appreciated.
    Thanks

    I have resolved this issue by Myself.

  • Hyperion Shared Services Console:  EPMCSS-09159 error

    I have assigned Administrative rights in Hyperion Shared Services Console v11.1.2.2.0.66 that are identical to my rights, but they still get the following error when trying to grant access to Native groups:
    "EPMCSS-09159:  Failed to update user relationship to native groups.  User "username" not authorized to update user.  Contact Shrared Services administrator."
    I am able to grant user access to Native groups with the same access.  Let me know if you have any suggestions for me to try.
    Thanks

    Yes, the user has the Provisioning role and can edit and save user roles, but they cannot update native groups that users are assigned too.

Maybe you are looking for