hss install

H Y P E R I O N ®

SHARED SERVICES™

R E L E A S E 9 . 2 . 1

I N S T A L L A T I O N G U I D E

Hyperion Shared Services, Release 9.2.1 Installation Guide

Copyright © 2004, 2007, Oracle and/or its affiliates. All rights reserved.

Authors: Michelle Cohen

The Programs (which include both the software and documentation) contain proprietary information; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrial property laws. Reverse engineering, disassembly, or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited.

The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose.

If the Programs are delivered to the United States Government or anyone licensing or using the Programs on behalf of the United States Government, the following notice is applicable:

U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are “commercial computer software” or “commercial technical data” pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the Programs, including documentation and technical data, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement, and, to the extent applicable, the additional rights set forth in FAR 52.227-19, Commercial Computer Software--Restricted Rights (June 1987). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.

The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup, redundancy and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and we disclaim liability for any damages caused by such use of the Programs.

Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

The Programs may provide links to Web sites and access to content, products, and services from third parties. Oracle is not responsible for the availability of, or any content provided on, third-party Web sites. You bear all risks associated with the use of such content. If you choose to purchase any products or services from a third party, the relationship is directly between you and the third party. Oracle is not responsible for: (a) the quality of third-party products or services; or (b) fulfilling any of the terms of the agreement with the third party, including delivery of products or services and warranty obligations related to purchased products or services. Oracle is not responsible for any loss or damage of any sort that you may incur from dealing with any third party.

Contents iii

Contents

CHAPTER 1 Oracle’s Hyperion® Shared Services Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Hyperion Shared Services Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Shared Services Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Shared Services Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Shared Services Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Hyperion Security Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Shared Services User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

CHAPTER 2 Shared Services Installation Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

CHAPTER 3 Planning the Shared Services Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Relational Database Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Shared Services Server Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Shared Services Component Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Browser Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Software Requirements Summary Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Installation Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Port Numbers Used By Hyperion Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Default Port Numbers for Remote Method Invocation (RMI) Servers . . . . . . . . . . . . . . . 28

Setting Up Shared Services on Multiple Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

OpenLDAP Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Shared Services Backup and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Sample Shared Services Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Standard Shared Services Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Shared Services with Replicated Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Sample Configuration of Clustered Shared Services with Replicated Databases . . . . . . . . 30

CHAPTER 4 Installing and Upgrading Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Upgrading Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Launching Installers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Running the Installation Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

iv Contents

What Happens During Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Files Installed in the HSS_HOME Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Installing JDK on AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

About Hyperion Home . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Hyperion Home Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Files Installed in the HYPERION_HOME Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Changing the Hyperion Home Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Running Silent Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Postinstallation Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

CHAPTER 5 Configuring and Setting Up Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Hyperion Configuration Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Task Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Configuring Product Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Launching the Configuration Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Configuring Relational Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Changing the Database Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Configuring the Mail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Deploying Shared Services to an Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Postconfiguration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Backing Up Shared Services Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Starting Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Verifying Successful Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Stopping Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Deploying WebLogic When Connected Through a Proxy Server . . . . . . . . . . . . . . . . . . . 53

Enabling HTTPS for WebLogic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Updating the Default Session Timeout for WebLogic 8.1 on HP-UX . . . . . . . . . . . . . . . . 54

Reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Configuration Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

CHAPTER 6 Uninstalling Shared Services and Hyperion Hub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

About Uninstalling Shared Services and Hyperion Hub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Uninstalling Shared Services and Hyperion Hub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Uninstalling Hyperion Hub Release 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Uninstalling Hyperion Hub Release 7.0.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Uninstalling Hyperion Hub Release 7.2.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Uninstalling Shared Services Release 9.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

CHAPTER 7 About External Authentication and Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

About External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

About Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

About Support for SiteMinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Contents v

External Authentication and Single Sign-On Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

CHAPTER 8 Implementing Hyperion External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Workflow for Setting Up External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Preparing to Implement External Authentication and Single Sign-On . . . . . . . . . . . . . . . . . . . 66

CHAPTER 9 Using NT LAN Manager for External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Setting Up User Rights for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Setting Up User Rights on Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Setting Up User Rights on Windows 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

UNIX Application Support for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Multiple-Domain Support for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

CHAPTER 10 Configuring External Authentication for Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

How Configuration Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Launching the External Authentication Configuration Console . . . . . . . . . . . . . . . . . . . . . . . . 74

Adding or Editing an LDAP or MSAD Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Naming the Provider Configuration (Required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Specifying Hostname, Port, and Base DN (Required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Setting a Read-Only User Account or Selecting an Anonymous Bind (Required) . . . . . . 76

Specifying the Location of Users (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Specifying the Location of Groups (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Specifying the Provider Trust Setting (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Setting Maximum Result-Set Size (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Setting Authorization Type (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Completing the Configuration (Required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Adding or Editing an NT LAN Manager Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Naming the Provider Configuration (Required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Specifying the Domain (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Specifying a Remote Authentication Module Location (Optional) . . . . . . . . . . . . . . . . . . 81

Specifying the Provider Trust Setting (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Setting Maximum Result-Set Size (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Completing the Configuration (Required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Working with an SAP Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Adding an SAP Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Provisioning SAP Users/Activity Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Setting the Search Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Setting the Token Time-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Configuring the Preferred Logging Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Enabling the Security Agent for Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Additional Configuration Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Configuring the User Login Attribute (Optional, LDAP/MSAD Only) . . . . . . . . . . . . . . . 89

Configuring the User First-Name Attribute (Optional, LDAP/MSAD Only) . . . . . . . . . . 90

vi Contents

Configuring the User Surname Attribute (Optional, LDAP/MSAD Only) . . . . . . . . . . . . 91

Configuring the User E-mail Attribute (Optional, LDAP/MSAD Only) . . . . . . . . . . . . . 91

Adding Custom User Object-Class Entries (Optional, LDAP/MSAD Only) . . . . . . . . . . 92

Configuring the Group Name Attribute (Optional, LDAP/MSAD Only) . . . . . . . . . . . . 93

Adding Custom Group Object-Class Entries (Optional, LDAP/MSAD Only) . . . . . . . . . 93

Adding Referral Support (Optional, MSAD Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Deleting a Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Notes About User and Group Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Configuring SiteMinder Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Configuring the SiteMinder Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Configuring the SiteMinder Web Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Enabling SiteMinder Authentication in the Shared Services Configuration . . . . . . . . . . . 97

Deployment Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Using Secure Sockets Layer (SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Enabling the Use of SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Setting Up SSL on OpenLDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Setting Up SSL on Apache Tomcat 5.0.28 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

CHAPTER 11 Using the Hyperion Remote Authentication Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

About the Hyperion Remote Authentication Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

UNIX Application Support for NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Multiple-Domain Support for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Installing the Remote Authentication Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Configuring and Starting the Remote Authentication Module . . . . . . . . . . . . . . . . . . . . . . . . 106

CHAPTER 12 Sample External Authentication Deployment Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Single LDAP Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Single Microsoft Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

UNIX Application and Single NTLM Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Windows Application and Single NTLM Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

UNIX Application Against LDAP, MSAD, and NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Windows Application Against LDAP, MSAD, and NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Multiple MSAD Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Multiple LDAP Directory Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Multiple NTLM Domains with Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Multiple Untrusted NTLM Domains Connected with Hyperion Remote Authentication Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Single Sign-On with SiteMinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Deployment References from LDAP Product Vendors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

APPENDIX A Manual Deployment to WebSphere Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Location References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Contents vii

Basic Deployment Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Define Environment Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Create the Shared Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Add a Transport Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Deploy the WAR File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Override Session Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Change the HTTP Cookie Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Increase JVM Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Modify Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Detailed Deployment Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

WebSphere 5.1.1.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

WebSphere 6.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Increasing the Memory Allocation for JVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Troubleshooting the WebSphere Application Server Configuration . . . . . . . . . . . . . . . . 134

Modifying Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Driver Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Adapter Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Files To Modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

APPENDIX B Manual Deployment to WebLogic Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141


Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142


Create a New WebLogic Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Unpackage the WAR File and Copy Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Deploy the Web Application Modules to the SharedServices Server . . . . . . . . . . . . . . . . 144


Update the Classpath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Copy/Modify Additional Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Detailed Deployment Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Modifying Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Driver Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Adapter Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Files To Modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

APPENDIX C Manual Deployment to Oracle 10g Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153


Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154



Deploy the Web Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Set the Classpaths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

viii Contents

Change the Oracle HTTP Server Listen Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Detailed Deployment Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Modifying Files After Manual Application Server Configuration . . . . . . . . . . . . . . . . . . . . . . 158

Driver Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Adapter Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Files To Modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

APPENDIX D Setting Up Shared Services Using Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

About Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

About Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Using a Hardware Load Balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Using a Software Load Balancer (Proxy Plug-In) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

WebSphere Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

WebLogic Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Replicating the OpenLDAP Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

APPENDIX E Shared Services Backup and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Backing Up Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Files Backed Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Recovering Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Running the Sync OpenLDAP Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

APPENDIX F Sample Configuration XML Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Basic XML Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Extended XML Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

APPENDIX G Troubleshooting the Shared Services Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Shared Services Log Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Debugging Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Shared Services Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Setting Log Levels for the OpenLDAP Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Troubleshooting OpenLDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Utilities for Troubleshooting Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Viewing the CSS.xml File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Sync OpenLDAP Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

OpenLDAP Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Validating Classpaths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Determining the System Properties in the Java Virtual Machine (JVM) . . . . . . . . . . . . 201

Accessing the User Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Oracle’s Hyperion® Shared Services Installation Overview 11

C h a p t e r

1Oracle’s Hyperion® Shared

Services Installation Overview

This chapter introduces Hyperion products and describes the Shared Services components.

In This Chapter Hyperion Shared Services Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Shared Services Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

12 Oracle’s Hyperion® Shared Services Installation Overview

Hyperion Shared Services IntroductionShared Services functionality is programmed into products, such as Oracle’s Hyperion® Planning – System 9 and Oracle’s Hyperion® Financial Management – System 9. Shared Services integrates the products to provide these functionalities:

● User provisioning

● External authentication definition

● Metadata synchronization

● Data synchronization

● Task flow management

The Hyperion System 9 Shared Services User Management Guide (on the Oracle® E-Delivery site) describes user-provisioning functionality. Chapter 7, “About External Authentication and Single Sign-On” of this guide describes external authentication configuration. All other Shared Services functionality is described in the administrator’s and user’s guides for the products that implement Shared Services. Products that implement Shared Services functionality require access to a Shared Services server running Shared Services client and server software, and to a database dedicated to Shared Services.

Shared Services ComponentsShared Services components:

● “Shared Services Server” on page 12

● “Shared Services Documentation” on page 15

● “Hyperion Security Platform” on page 16

● “Shared Services User Management” on page 16

Hyperion® License Server™ and standalone license files are no longer used for license management. Instead, administrators need to audit product use. To ensure compliance with your license agreement, you need to edit a properties file to activate or deactivate features in accordance with what you have purchased.

For more information about license compliance, see the Hyperion License Compliance Readme (hyp_license_compliance_readme.pdf), which you can find on your product DVD or on the Oracle® E-Delivery site.

Shared Services ServerThe Shared Services server components:

● Databases (relational and OpenLDAP)

● Web application server

● Hyperion® Configuration Utility™

● External Authentication Configuration Console

http://edelivery.oracle.com/

Shared Services Components 13

● Hyperion Shared Services User Management Console™

● Import/Export Utility

You only need to install the Shared Services server to one computer and does not need to reside on the same computer as products registering with Shared Services. Descriptions of the Shared Services server components follow.

DatabasesShared Services stores its data in two databases:

● An OpenLDAP database

The OpenLDAP database stores the security-services-related data. Shared Services automatically installs OpenLDAP as a Windows service, configures it, and starts it after installation.

● A relational database

The relational database stores the event, administrator, and metadata-services-related data. For a list of supported relational databases, see “Software Requirements Summary Table” on page 23.

For all supported database software, the installation installs the required JDBC drivers.

To assist you in getting started quickly, Hyperion provides the MySQL relational database. Because MySQL is not intended to support large user communities in production environments, it is recommended it be deployed only in a test or demonstration environment where a small number of individuals access and use the software.

Following Shared Services installation, you must complete the configuration process as specified in Chapter 5, “Configuring and Setting Up Shared Services.”

Web Application ServersShared Services requires one of these Web application servers:

● Apache Tomcat

● BEA WebLogic

● IBM WebSphere

● Oracle Application Server

Apache Tomcat

The installation installs and configures Apache Tomcat version 5.0.28 to run with Shared Services.


Note: Hyperion provides Apache Tomcat on the installation media for convenience if you want to use it for your deployment. Hyperion does not own or maintain the Apache Tomcat application server and is not responsible for problems you may encounter with its functionality. Hyperion, however, fully supports the use of Apache Tomcat in its products. In deployments where customers require high availability or failover, Hyperion recommends you deploy a commercially supported application server where these capabilities are supported.

BEA WebLogic Application Server

The installation provides support for versions 9.2 and 8.1.4, as follows:

● You must install the application server yourself.

● For 8.1.4, you can deploy the application server using the Hyperion Configuration Utility. Following Shared Services installation, complete the configuration process as specified in Chapter 5, “Configuring and Setting Up Shared Services.”

● For 9.2, following installation, you must deploy manually to the application server. See Appendix B, “Manual Deployment to WebLogic Application Server.”

IBM WebSphere Application Server

The installation provides support for versions 5.1.1.7 and 6.1, as follows:

● You must install WebSphere yourself.

● For 5.1.1.7, you can deploy the application server using the Hyperion Configuration Utility. Following Shared Services installation, complete the configuration process as specified in Chapter 5, “Configuring and Setting Up Shared Services.”

● For 6.1, following installation, you must deploy manually to the application server. See Appendix A, “Manual Deployment to WebSphere Application Server.”

Oracle Application Server 10g

The installation provides support for version 10.1.3.1.0.

● You must install the application server yourself.

● Following installation, you must deploy manually to the application server. See Appendix C, “Manual Deployment to Oracle 10g Application Server.”

Hyperion Configuration UtilityEach product installs a configuration tool called Hyperion Configuration Utility. You can use the utility to configure products installed on a machine. For complete information, see Chapter 5, “Configuring and Setting Up Shared Services.”

External Authentication Configuration ConsoleThe External Authentication Configuration Console is a Web-browser interface to Shared Services. External Authentication Configuration Console enables you to manage external authentication outside the context of a particular product or application. See Chapter 10, “Configuring External Authentication for Shared Services.”

Shared Services Components 15

User Management ConsoleThe User Management Console is the centralized user interface for these tasks:

● Managing projects and applications within projects

● Provisioning users and groups for applications

● Managing the Shared Services native directory

The console software is installed with Shared Services server. See the Hyperion System 9 Shared Services User Management Guide.

Import/Export UtilityThe Import/Export utility is a standalone command line utility that exports, imports, and validates Shared Services provisioning data.

The Import/Export utility includes these components:

● Batch file (Windows) or shell file (UNIX) to invoke the operation

● Properties file to configure the utility

● XML configuration file

● CSV data file

For more information and instructions, see the PDF file that is packaged with the utility as part of the Shared Services installation:

<Hyperion_Home>/common/utilities/CSSImportExportUtility

Shared Services DocumentationHyperion provides the following documentation for Shared Services:

● Hyperion System 9 Shared Services Information Map

Lists the documentation available for Shared Services and provides links to installed documentation.

● Hyperion Installation Start Here

Lists high-level tasks for multiple-product installations.

● Hyperion Shared Services Readme

Contains late-breaking information about Shared Services.

● Hyperion Shared Services Installation Guide

Describes how to install and configure the Shared Services server and set up external authentication providers for use with Hyperion products.

● External Authentication Configuration Console Online Help

Describes how to use the External Authentication Configuration Console.

● Hyperion System 9 Shared Services User Management Guide

Describes how to set up and administer Hyperion users.


● Hyperion System 9 Shared Services User Management Console Online Help

Describes how to use the User Management Console to manage user accounts on Hyperion applications.

All Shared Services documentation is accessible from the following locations:

● Oracle® E-Delivery Web site (http://edelivery.oracle.com/)

● Oracle® Technology Network (http://www.oracle.com/technology/index.html)

● The product DVD

● The Information Map, available from the Shared Services Help menu for all operating systems

On Windows, it is also available from the Start menu.

● Online help, available from within Shared Services consoles

After you log on, you can access online help by clicking Help or selecting the Help menu.

Hyperion Security PlatformThe Hyperion security platform is a framework enabling Hyperion applications to use external authentication and single sign-on. External authentication means the user login information needed by Hyperion applications is stored outside the applications in a central authentication directory. Single sign-on is the ability of a user to access multiple Hyperion products after logging on only once. For detailed information about Hyperion security platform, see Chapter 7, “About External Authentication and Single Sign-On.”

Shared Services User ManagementShared Services user management enables centralized management of Hyperion product users. The user management system enables administrators to group applications into projects, and then provision users and groups with roles and access rights for applications.

You can provision users and groups whose accounts are maintained in corporate authentication directories and in the native directory. Each Hyperion product provides product-specific roles, and Shared Services provides system-wide roles.

For detailed information about Shared Services user management, see the Hyperion System 9 Shared Services User Management Guide.

Shared Services Installation Sequence 17

C h a p t e r

2Shared Services Installation

Sequence

This chapter provides information about installing, configuring, and setting up Shared Services:

● High-level task flow identifying basic steps

● Installation checklist identifying detailed steps for installation and configuration

The detailed checklist below lists the steps required for a successful installation of Shared Services. Chapter numbers refer to the Hyperion Shared Services Installation Guide unless otherwise noted. If you are upgrading, see “Upgrading Shared Services” on page 32.

Before you begin the installation process, ensure you meet the hardware and software system requirements described in Chapter 3, “Planning the Shared Services Installation.”

Step Instruction Product Component Documentation

1 Install Hyperion Shared Services and configure the Shared Services application server and RDBMS.

Shared Services installer

Hyperion Configuration Utility™

Shared Services Installation Guide

2 Configure Shared Services to authenticate user names that are stored externally in LDAP, Active Directory, or Windows NT LAN Manager, enabling single sign-on.

Shared Services External Authentication Configuration Console

Shared Services Installation Guide

3 Install Hyperion products. Hyperion product installers Product installation guides

4 Configure Hyperion products and register them with Shared Services. You can configure multiple products at one time, if they are installed on the same computer.

Hyperion Configuration Utility Product installation guides

5 Create projects, add applications to projects, and provision users for applications.

Shared Services User Management Console™

Shared Services User Management Guide

18 Shared Services Installation Sequence

✔ INSTALL SHARED SERVICES AND CONFIGURE THE SHARED SERVICES APPLICATION SERVER AND RDBMS REFERENCE

1. Ensure the database software you are using for Shared Services is installed and operational.

2. Download Shared Services software and documentation from the Oracle® E-Delivery site and install Shared Services.

Chapter 4, “Installing and Upgrading Shared Services”

3. Configure the Shared Services application server and RDBMS. Chapter 5, “Configuring and Setting Up Shared Services”

✔ CONFIGURE THE SHARED SERVICES EXTERNAL AUTHENTICATION PROVIDER REFERENCE

1. If enabling one or more Hyperion applications to use external authentication of users in a Windows NT LAN Manager (NTLM) domain, set up the environment and user rights for NTLM support.

Chapter 9, “Using NT LAN Manager for External Authentication”

2. Ensure Shared Services server is running.

3. Using Shared Services, configure the External Authentication Provider to use:

❍ Windows NT LAN Manager (NTLM)

❍ Lightweight Directory Access Protocol (LDAP)

❍ Microsoft Active Directory (MSAD)

Shared Services writes your configuration information to a central XML-based security configuration file that is generated by Shared Services. Hyperion products reference the security configuration file for single sign-on of external and remote users.

Chapter 10, “Configuring External Authentication for Shared Services”

4. Optionally, set up the environment for Netegrity Single Sign-On, configure Shared Services to use Single Socket Layers, and install the Hyperion Remote Authentication Module™.

Chapter 10, “Configuring External Authentication for Shared Services”

Chapter 11, “Using the Hyperion Remote Authentication Module”

Shared Services Installation Sequence 19

✔ INSTALL HYPERION PRODUCTS REFERENCE

Download Hyperion software and documentation from the Oracle® E-Delivery site and install Hyperion products.

Hyperion Product Installation Guide

✔ CONFIGURE HYPERION PRODUCTS REFERENCE

Activate and configure Hyperion products and register them with Shared Services using Hyperion Configuration Utility:

● Specify the Shared Services server location.

● Configure relational databases and repositories for your product.

● Autodeploy products to application servers (recommended), or select the Manual Deployment option to configure the deployment manually.

● Create a properties file for your product.

Note: Shared Services server must be running before you can perform this task.

Hyperion Product Installation Guide

✔ ASSIGN ROLES FOR SHARED SERVICES USER MANAGEMENT AND PROVISION USERS REFERENCE

A Shared Services administrator must perform the following tasks:

● Assign the Project Manager role to users who are responsible for creating projects and assigning applications to projects.

● For each application, assign the Provisioning Manger role to users who are responsible for assigning roles and access control permissions to users of the application.

● Assign the Directory Manager role to users who are responsible for managing the native Shared Services directory.

Project Managers can create projects and add applications to projects as necessary. Provisioning Managers for each application can provision users and groups (assign roles and access control permissions) for their applications.

Hyperion Shared Services User Management Guide

20 Shared Services Installation Sequence

Planning the Shared Services Installation 21

C h a p t e r

3Planning the Shared Services

Installation

This chapter contains requirements for a representative deployment (up to 150 total users, 30-40 concurrent users, one Shared Services application) and does not contain sizing guidelines. For information on sizing guidelines, see to the Hyperion Business Performance Management Deployment Guide located on the product page on the Oracle® E-Delivery site.

For larger deployments, Hyperion highly recommends you call Hyperion Consulting Services to determine the correct number of servers for your environment.

This chapter details the hardware and operating system requirements, software and browser requirements, and prerequisites. It also explains how to plan for clustering of Shared Services and Shared Services backup and recovery.

In This Chapter Hardware Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Installation Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Port Numbers Used By Hyperion Products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Setting Up Shared Services on Multiple Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

OpenLDAP Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Shared Services Backup and Recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Sample Shared Services Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

22 Planning the Shared Services Installation

Hardware Requirements

Relational Database Hardware RequirementsShared Services relational database hardware requirements:

Shared Services Server RequirementsShared Services server requirements:

Software RequirementsThe following topics outline software requirements and browser settings for Shared Services:

● “Shared Services Component Software Requirements” on page 23

● “Browser Settings” on page 23

● “Software Requirements Summary Table” on page 23

Database Server Component Hardware Requirements

Microprocessor Intel Pentium III or later

Memory 256 MB, 512 recommended (For optimal performance, see the vendor documentation.)

Disk space—general guidelines ● Small application—10-20 MB

● Medium application—50-60 MB

● Large application—100-200 MB

Web Server Component Hardware Requirements

Microprocessor Intel Pentium II 300 Mhz (Pentium III or later, 450 Mhz recommended); dual processor required

Memory 256 MB minimum with 1.5 GB available

Disk space 300 MB for full installation

Note: This estimate includes the disk space required for the temporary JAR files extracted during installation.

Software Requirements 23

Shared Services Component Software RequirementsShared Services component software requirements:

Browser Settings

Ensure that default browser preferences and options are enabled:

● Enable JavaScript

● Enable cookies (Preferred setting is to enable cookies to be stored on your computer. Minimum requirement is for each session level cookies set.)

Software Requirements Summary TableShared Services server operating system requirements:

Application Component Software Requirements

Shared Services 9.2.1 server Software files supplied during Shared Services 9.2.1 installation

Java application server ● IBM WebSphere 5.1.1.7 and 6.11

● BEA WebLogic 8.1.4 and 9.22

● Apache Tomcat 5.0.28 (provided by Shared Services installation)

● Oracle 10g Release 3 (10.1.3.1.0)3

1 WebSphere 6.1 is supported only via full manual deployment. For instructions, see Appendix A, “Manual Deployment to WebSphere Application Server.”

2 WebLogic 9.2 is supported only via full manual deployment. For instructions, see Appendix B, “Manual Deployment to WebLogic Application Server.”

3 Oracle 10.1.3.1.0 is supported only via full manual deployment. For instructions, see Appendix C, “Manual Deployment to Oracle 10g Application Server.”

JDBC (Java database connectivity) driver

● Hyperion JDBC DataDirect 3.6 build 24 (provided by Shared Services installation)

● Hyperion JDBC MySQL 3.0.8

Browser Supported Versions

Microsoft Internet Explorer 6.0 and 7.0

Firefox 2.0.0.3


Shared Services software requirements:

Operating System Supported Versions

Windows ● Windows Server 2000 (SP4)

● Windows Server 2003 (SP1 and R2)

● Windows 2003 SP1

● Windows 2000 Professional (client)

● Windows XP Professional (client)

● Windows Vista (Home series and above)

Sun Solaris 9, 10 ● Solaris 9, 10

HP-UX ● HP-UX 11.11

● HP-UX 11.23

AIX (required for the Shared Services OpenLDAP database)

● AIX 5.2 ML3

● AIX 5.3 ML8

Redhat Linux ● Redhat Linux AS 4.0

Component Software Requirements

Relational databases ● MySQL:

❍ 4.0.12

❍ 4.0.23 for 64-bit processors

● Oracle:

❍ 9i - 9.2.0.5

❍ 10g - 10.1.0.5

❍ 10g - 10.2.0.2

❍ 11g Beta

● IBM DB2:

❍ 8.2 (8.1 FP7)

❍ 9.1

● Microsoft SQL Server:

❍ 2000 Service Pack 3a

❍ 2005 SP1

Application servers ● IBM WebSphere:

❍ 5.1.1.7

❍ 6.1

● BEA WebLogic:

❍ 8.1.4

❍ 9.2

● Oracle:

❍ 10g - 10.1.3.1.0

● Apache Tomcat:

❍ 5.0.28 (Does not support DB2 RDBMS.)

Installation Prerequisites 25

Installation PrerequisitesBefore installing Shared Services, meet these prerequisites:

● To use Shared Services with a database other than MySQL, you must create a database and a user before installing Shared Services. Assign the appropriate rights to the user (see “Prerequisites” on page 42). For a list of supported databases, see “Software Requirements” on page 22.

● If Shared Services is being installed against an IBM DB2 database, increase the applheapsz DB2 configuration parameter to 4000. Use the following command to do this:

update db cfg for HUB_DB_NAME using applheapsz 4000

You must restart the IBM DB2 instance for this parameter to take effect.

● To use Shared Services with an Oracle relational database, these privileges are the minimum required for the Shared Services Oracle database user:

❍ CONNECT

❍ RESOURCE

❍ CREATE

JDBC drivers ● SQL—Hyperion JDBC driver

● Oracle—Hyperion JDBC driver

● DB2—Hyperion JDBC driver

● Hyperion MySQL connect driver

Browsers ● Microsoft Internet Explorer 6.0 and 7.0

● Firefox 2.0.0.3

Authentication Providers1 ● LDAP:

❍ Sun One 5.2 Patch 4

❍ Novell eDirectory 8.8

❍ IBM Directory Server 5.1

❍ Domino 6.0

● NTLan Manager (NTLM) on 2000 and 2003

● Microsoft Active Directory (MSAD) 2000 and 2003

● Netegrity Siteminder 5.5 (SP2)

● OpenLDAP 2.3.37 (provided by Shared Services installation and automatically configured)

1 Requires installation of Hyperion Remote Authentication Module for UNIX authentication against NTLM. See Chapter 11, “Using the Hyperion Remote Authentication Module.”

Component Software Requirements


❍ CREATE TRIGGER, DROP TRIGGER AND MODIFY TRIGGER

● For UNIX systems, do not run an OpenLDAP database on a Network File System (NFS) mounted protocol.

● To deploy Shared Services on an application server other than Apache Tomcat, you must install the application server and then install Shared Services. For a list of supported application servers, see “Software Requirements” on page 22.

● If you plan to deploy Shared Services on a BEA WebLogic application server, note these requirements:

❍ Shared Services cannot be installed to directories with names containing spaces; for example, c:\Program Files.

❍ Shared Services cannot be automatically deployed to BEA WebLogic if WebLogic application server is not installed in BEA_HOME. If BEA WebLogic application server is installed outside BEA_HOME, the auto-deployment process for Shared Services does not execute correctly. If you install in such an environment, use the manual deployment option to create the necessary Web archive and use the WebLogic application deployment tool to deploy the application to the required instance.

❍ The auto-deployment process for Shared Services does not update the startup scripts for WebLogic to execute as a service. After installation, you must update the installSvc.cmd file with WLS_USER and WLS_PW (user and password) to run WebLogic as a service.

● If you plan to deploy Shared Services on an IBM WebSphere application server, note these requirements:

❍ You must install Shared Services on the computer hosting the IBM WebSphere application server.

❍ Shared Services cannot be installed to directories with names containing spaces; for example, c:\Program Files.

❍ On UNIX platforms, if you are using the IBM WebSphere application server, ensure you use the same account to install, deploy, and execute Hyperion products used to install WebSphere. Using one account ensures Hyperion Configuration Utility can successfully deploy Hyperion products to WebSphere.

● Be aware of port usage so you can resolve port conflicts during configuration. See “Port Numbers Used By Hyperion Products” on page 27.

Port Numbers Used By Hyperion Products 27

Port Numbers Used By Hyperion ProductsDuring Hyperion product installation, the default port number for application servers is automatically populated and can be changed during the configuration process. For instructions to modify default ports after installation, see “Deploying Shared Services to an Application Server” on page 47.

Each application port number must be unique. After modifying the default port number, if your application does not launch, or if an error message is displayed similar to “port already in use” or “bind error,” there may be a port number conflict.

If you do not change the default port number, the software is configured with these values:

Hyperion Product Listen Port SSL Listen PortShutdown Port for Apache Tomcat

Shared Services 58080 58090 58005

Application Builder J2EE 21080 21090 21005

Application Builder.NET 22080 22082 22081

Oracle’s Essbase® Administration Services 10080 10090 10005

Analytic High Availability Services 11080 11090 11005

Planning 8300 8300 8301

Hyperion® Translation Manager 14080 14090 14005

Oracle’s Hyperion® Financial Reporting – System 9

8200 8201

Oracle’s Hyperion® Web Analysis – System 9

16000 16001

Oracle’s Hyperion® Business Modeling 17080 17090 17005

Oracle’s Hyperion® Performance Scorecard – System 9

18080 18090 18005

Oracle’s Hyperion® Performance Scorecard – System 9 Alerting

18081 18091 18006

Enterprise Metrics 8180 8280

8205

8105

Essbase Smart View Provider 13080 13090 13005

Oracle’s Hyperion® Workspace 19000 45001


Default Port Numbers for Remote Method Invocation (RMI) Servers

Setting Up Shared Services on Multiple ServersShared Services enables you to horizontally scale an application; thus, you can use multiple servers for one application. This improves performance and provides fail-over capability for Shared Services.

For complete information, see “Setting Up Shared Services Using Clustering” on page 163.

OpenLDAP ReplicationLoad balancing and failover is also necessary in the OpenLDAP environment. For detailed information, see “Replicating the OpenLDAP Environment” on page 183.

Shared Services Backup and RecoveryTo ensure that Shared Services can recover from catastrophic failure, the Shared Services installation provides scripts that perform the backup and recovery process for you. For detailed information, see “Shared Services Backup and Recovery” on page 187.

Sample Shared Services Deployment ScenariosThis section describes some sample deployment scenarios for Shared Services:

● “Standard Shared Services Configuration” on page 29

● “Shared Services with Replicated Databases” on page 29

● “Sample Configuration of Clustered Shared Services with Replicated Databases” on page 30

Hyperion Component RMI Port

Hyperion Remote Authentication Module 58000

Financial Reporting 1099

Planning 11333

Strategic Finance 1493 and 1495

Hyperion Performance Suite Legacy 1494 - 1498

Hyperion Performance Suite GSM 1800

Hyperion Performance Suite Services 1801-1803

OpenLDAP 58081

Sample Shared Services Deployment Scenarios 29

Standard Shared Services ConfigurationThis deployment scenario depicts the default configuration of Shared Services, with one instance of Shared Services Web application, one instance of the OpenLDAP database, and one instance of a relational database. In this scenario there is no support for failover or load balancing.

Shared Services with Replicated DatabasesThis deployment scenario depicts a configuration with failover support for the database but Shared Services is only deployed on one application. This configuration works for deployments where the authentication to Hyperion products is extremely critical and needs failover support, but Shared Services features such as user provisioning, metadata synchronization, and task flow management do not need failover support.

The relational database replication/failover is vendor-specific. Shared Services provides the ability to replicate OpenLDAP and configure it to support failover. See Appendix E, “Shared Services Backup and Recovery.”

Note: There is no load balancing support for OpenLDAP.

This figure depicts a standard deployment of Shared Services with replicated databases:


Sample Configuration of Clustered Shared Services with Replicated DatabasesThis deployment scenario depicts a configuration where failover support is available across all Shared Services components.

Clustering provides failover and load balancing support for the Shared Services Web application. Shared Services can be clustered through a software load balancer on WebSphere and WebLogic application servers or on other application servers using a hardware load balancer. For information about clustering, see Appendix D, “Setting Up Shared Services Using Clustering.”

The relational database replication/failover is vendor-specific. Shared Services provides the ability to replicate OpenLDAP and configure it to support failover. See Appendix E, “Shared Services Backup and Recovery.”

Note: There is no load balancing support for OpenLDAP.

This figure depicts a sample cluster deployment of Shared Services:

Installing and Upgrading Shared Services 31

C h a p t e r

4Installing and Upgrading Shared

Services

This chapter explains how to install Shared Services and describes what happens during installation.

In This Chapter Upgrading Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Launching Installers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Running the Installation Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

What Happens During Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Files Installed in the HSS_HOME Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Installing JDK on AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

About Hyperion Home . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Running Silent Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Postinstallation Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

32 Installing and Upgrading Shared Services

Upgrading Shared ServicesThese topics document the process for upgrading from a previous release of Shared Services to this release. THe following upgrade paths are supported:

● 9.2.0.x to 9.2.1

● 9.0.x to 9.2.1

● 7.2.5.2 to 9.2.1

➤ To upgrade to this release of Shared Services from one of the releases mentioned above:

1 Verify that all preparation tasks are complete and all system requirements are met.

See Chapter 3, “Planning the Shared Services Installation”.

2 Stop all activities and processes connected to Shared Services, including the application server, the OpenLDAP database, and all servers related to Shared Services.

Note: You do not need to uninstall the previous release of Shared Services or stop the relational database.

To stop Shared Services manually, execute the stop script. See “Stopping Shared Services” on page 52.

3 If the previous installation of Shared Services was a manual deployment, search on your system for the external authentication configuration file (CSS.xml), and manually back it up.

4 Install this release of Shared Services over the existing installation. You must install the Shared Services files to the previous installation directory.

See “Launching Installers” on page 33 and “Running the Installation Wizard” on page 33. Do not start Shared Services.

5 If you are upgrading from 9.0.x or from 7.2.5.2, and you previously deployed Shared Services to Apache Tomcat as a Windows service, remove the Windows service before configuring the Shared Services application server.

To remove the Tomcat Windows service, from a command line, change to:

● For 9.0.x:

<HSS_HOME>\AppServer\InstalledApps\Tomcat\5.0.28\ SharedServices9\bin

● For 7.2.5.2:

\Hyperion\HyperionHub\7.2.1\deployments\Tomcat\4.1.30

Then type:

removeService.bat

6 Using Hyperion Configuration Utility, configure the Shared Services application server, RDBMS, and mail server. You must select the option to re-use the existing database.

See Chapter 3, “Configuring Shared Services.”

7 Start Shared Services.

Running the Installation Wizard 33

Note: You must ensure Shared Services is started before configuring other Hyperion products. If you upgrade Shared Services but do not upgrade other Hyperion products, you must reregister the other products with Shared Services using Hyperion Configuration Utility. For instructions, see the product installation guide.

8 If you are upgrading from 7.2.5.2, ensure the following tags are added to the external authentication configuration file (CSS.xml):

a. The <hub> tag with a URL for the hostname. For example,

- <hub location="http://MCOHEN2:58080">

<dirPort>58089</dirPort>

</hub>

b. The <native> tag with Native Directory specified. For example,

- <spi>

- <provider>

<native name="Native Directory" />

</provider>

</spi>

Launching Installers

➤ To launch the Shared Services installer from a self-extracting download file from Oracle® E-Delivery site:

1 Download the installer from Oracle's E-Delivery Web site.

See the Media Pack Readme for information about which files to download.

2 Extract the files from the ZIP file.

After extraction, the installation directory should include the following files:

● setup.exe (Windows) or setup.bin (UNIX)

● setup.jar (Windows or UNIX)

3 Run the install setup program:

● Windows—setup.exe

● UNIX—setup.bin

Note: If you cannot execute setup.bin, use chmod to add execute privilege.

Running the Installation WizardThis procedure describes using the installation wizard to install Shared Services.

➤ To install Shared Services:

1 Verify that all prerequisites and system requirements are met.


See “Planning the Shared Services Installation” on page 21.

2 Download and launch the Shared Services installer program.

See “Launching Installers” on page 33 for instructions.

3 Follow the installation prompts, keeping in mind this information:

● If the installation wizard detects a previous installation of Shared Services, you must install the Shared Services files to the same directory as the previous installation.

● If this is a new installation (no previous installation of Shared Services is detected), you can specify the directory in which to install the Shared Services files.

Restrictions for this field:

❍ You can enter only English alphanumeric characters and these special characters:

dash ( - ), underscore ( _ ), plus sign ( + ), backslash ( \ ), forward slash ( / ), dot (.), colon ( : )

The colon character ( : ) is supported only for Windows platforms to specify the drive (for example, c:\).

❍ If you are deploying Shared Services on a WebLogic or WebSphere application server, Shared Services cannot be installed to a directory whose name contains a space; for example, c:\Program Files.

By default, the wizard installs Shared Services in one of these directories:

❍ Windows—c:\Hyperion\SharedServices\<releaseNumber>

❍ UNIX—/home/username/Hyperion/SharedServices/<releaseNumber>

● Hyperion common components are installed to a different directory than the Shared Services software. Common components are installed to a location called “Hyperion Home” (HYPERION_HOME\common). For more information, see “About Hyperion Home” on page 36.

Restrictions for this field:

❍ You can enter only English alphanumeric characters and these special characters:

dash ( - ), underscore ( _ ), plus sign ( + ), backslash ( \ ), forward slash ( / ), dot (.), colon ( : )

The colon character ( : ) is supported only for Windows platforms to specify the drive (for example, c:\).

❍ The Hyperion Home location cannot be a directory whose name contains a space; for example, c:\Program Files.

Note: On UNIX platforms, if the HYPERION_HOME directory is mounted on a Network File System (NFS) so that one HYPERION_HOME location is visible across multiple computers, Shared Services can only be installed to one computer. If you try to install Shared Services to another computer, the previous installation is detected.

● In addition to the Shared Services files, the wizard installs shared components, such as Java Development Kit (JDK) files, Hyperion External Authentication Module files, and so on.

Files Installed in the HSS_HOME Directory 35

Note: For AIX, the Shared Services installer does not perform a full installation of JDK. For information about installing JDK on AIX, see “Installing JDK on AIX” on page 36.

● After installation is complete, the installation wizard prompts you to launch Hyperion Configuration Utility, which enables you to perform key product activation and configuration tasks. See “Postinstallation Tasks” on page 40.

What Happens During InstallationDuring installation, the Shared Services installer program performs the following operations:

● Creates directories and subdirectories under the location specified during installation

In documentation, the directory Shared Services is installed is referred to as HSS_HOME. For a list of the Shared Services directories created during installation, see “Files Installed in the HSS_HOME Directory” on page 35.

● Installs Hyperion common components to HYPERION_HOME\common

For information about HYPERION_HOME and a list of directories created, see “About Hyperion Home” on page 36.

After HYPERION_HOME is defined, you can run a migration utility to change its location. The Hyperion Home Migration Utility is provided with the Shared Services installation. See “About Hyperion Home” on page 36.

● A typical installation installs these Shared Services components:

❍ MySQL database

❍ Shared Services server

❍ Shared Services documentation

A custom installation installs only the components you choose.

● On Windows, creates these manual services:

❍ Open LDAP service: “Hyperion SharedServices9 OpenLDAP”

❍ MySQL service: “Hyperion-MySQL-4.0.12”

● On UNIX, creates and starts a MySQL process.

● Installs documentation files to HSS_HOME\docs on the Shared Services computer

See “Shared Services Documentation” on page 15.

● On Windows, adds shortcuts to the Start menu

● Installs an uninstaller in HSS_HOME\uninstall

See Chapter 6, “Uninstalling Shared Services and Hyperion Hub.”

Files Installed in the HSS_HOME DirectoryThe directory where you install Shared Services is referred to as the HSS_HOME directory, by default:


● Windows—c:\Hyperion\SharedServices\<releaseNumber>

● UNIX—/home/username/Hyperion/SharedServices/<releaseNumber>

Directories created for typical installations:

Installing JDK on AIXFor AIX, the Shared Services installer does not perform a full installation of the Java Developer Kit (JDK). Instead, the files required for you to install the JDK are placed in the $HYPERION_HOME/common/JDK/IBM/1.4.2 directory. The files are:

● fixes.html

● java14.license

● java14.sdk

● sdkguide.aix32.htm

See sdkguide.aix32.htm for instructions on installing the JDK.

About Hyperion HomeWhen multiple Hyperion products are installed on one computer, common internal and third-party components used by the products are installed to a central location, called Hyperion Home. On Windows, the Hyperion Home location is defined in the system environment variable called HYPERION_HOME. On UNIX, the Hyperion Home value is stored in .hyperion.<hostname> in the /home directory.

Note: Hyperion recommends all Hyperion applications be installed as one user on UNIX platforms. All Hyperion products install common third-party and internal components under HYPERION_HOME. To ensure installers have the permissions required to modify the HYPERION_HOME location on UNIX platforms; Hyperion recommends all Hyperion applications be installed under one HYPERION user account on UNIX platforms.

Directory Contents

\AppServer \InstallableApps—files required by the Configuration Utility for auto-deployment

\InstalledApps—files/directories created by Hyperion Configuration Utility during auto-deployment

\client Java APIs for applications to use Shared Services functionality

\docs Shared Services documentation files

\openLDAP OpenLDAP database files

\server Shared Services executable files, default relational database files, Java class files, and server locale files

\uninstall Files for uninstalling Shared Services

About Hyperion Home 37

Hyperion Home LocationThe Shared Services installer prompts you to define the location for Hyperion Home. The default location is C:\Hyperion for Windows and $HOME/Hyperion for UNIX. The installer searches for the HYPERION_HOME environment variable on the computer to which you are installing. If the location was previously defined for another Hyperion product, the installation uses that location and the Hyperion Home location cannot be changed through the installer. If this is the first Hyperion installation on the computer, and you have not specified the location for Hyperion Home, you can specify the location during installation. Do not choose a HYPERION_HOME location containing a space character. For example, C:\Program Files.

Note: On UNIX platforms, if the HYPERION_HOME directory is mounted on a Network File System (NFS) so that one HYPERION_HOME location is visible across multiple computers, Shared Services can only be installed to one computer. If you try to install Shared Services to another computer, the previous installation is detected.

Files Installed in the HYPERION_HOME DirectoryThe following table lists the files that are installed in the HYPERION_HOME\common directory by a default installation of Shared Services. Some common components are optional and may not be installed.

Table 1 Directories Created in the HYPERION_HOME\common Directory

Directory Description

appServers Contains application server files

config Contains Configuration Utility files

CSS Contains files to support Hyperion external authentication

DBMS Contains relational database management system (DBMS) files

HyperionLookAndFeel Contains installer user interface files

JCE Contains Java Cryptography Extension (JCE) files for encryption, key generation and key agreement, and Message Authentication Code (MAC)

JDBC Contains Java Database Connectivity (JDBC) files

JDK Contains Java Development Kit (JDK) files

loggers Contains files for external authentication logging

utilities Contains one of the utilities needed to change the location of Hyperion Home

For more information, see “Changing the Hyperion Home Location” on page 38.

XML Contains common XML components


Changing the Hyperion Home LocationAfter Hyperion Home is defined through the product installation, you must run a migration utility to change the Hyperion Home location. The utility moves the files installed in Hyperion Home to the new location and replaces the value of the current HYPERION_HOME environment variable. The Hyperion Home Migration Utility is provided with the Shared Services installation.

Note: For an Apache Tomcat 5.0.28 Windows installation, you can choose to install the Shared Services server as a Windows service. If you select this option, the Shared Services server is launched automatically by the service and runs in the background. However, if you migrate HYPERION_HOME to another location after installing Shared Services, the Windows service does not automatically start. This occurs because the registry entries for the Windows service still retain the old path information. If this occurs, you must manually update the location of the Windows service after you migrate HYPERION_HOME.

➤ To change the Hyperion Home location:

1 Launch the migration utility:

● On Windows, choose a method:

❍ Double-click the run.exe file from:

%HYPERION_HOME%\common\utilities\HyperionHomeTool\1.0.1\bin

❍ From a Windows console, change to this directory:

%HYPERION_HOME%\common\utilities\HyperionHomeTool\1.0.1\bin

Then type:

run.exe -console

● On UNIX, choose a method:

❍ In XWindows, change to this directory:

$HYPERION_HOME/common/utilities/HyperionHomeTool/1.0.1/bin

Then type:

migrationtool.sh

❍ In a UNIX console, change to this directory:

$HYPERION_HOME/common/utilities/HyperionHomeTool/1.0.1/bin

Then type:

migrationtool.sh -console

The migration utility is launched.

2 Step through the screens, and when prompted, enter the Hyperion Home location or click Browse to navigate to the desired location.

Do not choose a HYPERION_HOME location containing a space character. For example, C:\Program Files.

The migration utility copies the entire Hyperion Home directory to the new location and replaces the value of the current HYPERION_HOME environment variable.

Running Silent Installations 39

For Windows, the Hyperion Home Migration Utility updates the environment variable. For UNIX, the utility updates the .hyperion.<HOSTNAME> file in the home directory containing the environment variable. Login initialization files, such as .profile and .login are not updated on UNIX systems.

Running Silent InstallationsTo install Shared Services on multiple computers using the same installation options, you can record your installation settings and run a silent installation from the command line. Silent installations automate the installation process so you can install Shared Services without specifying installation settings each time.

To record your installation settings, you create a response file and run the regular installation to record your settings in the response file. Then, when you run the silent installation from the command line, the response file is used to set the same installation options as the regular (nonsilent) installation.

➤ To record installation settings and run a silent installation:

1 Navigate to the directory containing the product installer.

2 From a command line, run one of these commands:

The responsefilename can include an absolute path or filename.

3 The regular (nonsilent) product installer is launched.

4 As you step through the installer, specify the settings to use.

The installation options are recorded in the response file. You can modify the response file to change installation options.

You are now ready to run the installation in silent mode.

5 From the command line, enter one of these commands:

The installation runs in the background.

Windows setup.exe -options-record responsefilename

For console mode:

setup.exe -console -options-record responsefilename

AIX, Solaris, HP-UX, and Linux setup.bin -options-record responsefilename

For console mode:

setup.bin -console -options-record responsefilename

Windows setup.exe -options <responsefilename> -silent

AIX, Solaris, HP-UX, and Linux setup.bin -options <responsefilename> -silent


Postinstallation TasksAfter installation is complete, the installation wizard prompts you to launch Hyperion Configuration Utility. Hyperion Configuration Utility is a common tool that guides you through a series of pages to perform these Shared Services configuration tasks:

● Configuring a relational database for Shared Services

● Configuring a mail server for Shared Services

● Deploying Shared Services on an application server

For detailed information about launching and running Hyperion Configuration Utility, see Chapter 5, “Configuring and Setting Up Shared Services.”

Configuring and Setting Up Shared Services 41

C h a p t e r

5Configuring and Setting Up

Shared Services

This chapter describes how to configure Shared Services using Hyperion Configuration Utility. It provides instructions for configuring relational databases, deploying to an application server, and configuring the mail server. It also describes how to start and stop the Shared Services server.

In This Chapter Hyperion Configuration Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Task Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Configuring Product Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Launching the Configuration Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Configuring Relational Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Configuring the Mail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Deploying Shared Services to an Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Postconfiguration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Verifying Successful Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Configuration Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

42 Configuring and Setting Up Shared Services

Hyperion Configuration UtilityThe Configuration Utility is a common tool used to configure installed Hyperion products. It is installed with the first product installed on a machine, and you can use it to configure all products that are installed on that machine. Use the Configuration Utility to configure Shared Services first, separately from other products. Then use it to configure other products that are installed on a machine. The Configuration Utility should be used on each machine to which a product is installed.

The Configuration Utility provides these configuration tasks for Shared Services:

● Relational Storage Configuration—Required to use a database to store and retrieve Shared Services data. See “Configuring Relational Storage” on page 44.

● Configure Mail Server—Required if you are using task automation notifications. See “Configuring the Mail Server” on page 46.

● Application Server Deployment—Required to deploy Shared Services to an application server. See “Deploying Shared Services to an Application Server” on page 47.

You can reconfigure Shared Services after the initial configuration, following the same procedures.

Note: You must configure Shared Services before configuring other Hyperion products installed on the same machine or on other machines. You do not need to install Shared Services on each machine where a product is installed.

When using the Configuration Utility to configure other Hyperion products, you are given the option to register products with Shared Services. Registering products is a required step before you can use Shared Services functionality. See the product installation guide.

PrerequisitesComplete these tasks before using the Configuration Utility:

● Install the Shared Services server, but do not start it. It should be stopped during configuration.

● Install the application server that you plan to use.

● Prepare a database to use for relational storage.

The database user that you specify during configuration should have the following user rights for the database: inserting seeded data and creating, deleting, and updating tables. See also “Installation Prerequisites” on page 25.

Launching the Configuration Utility 43

Task SequenceWhen performing multiple configuration tasks in one session, the Configuration Utility orders the tasks appropriately. If you use the Configuration Utility to perform tasks individually, follow this order:

● Application server deployment

● Mail server configuration

● Database configuration

Configuring Product UpgradesUse the Configuration Utility to configure Shared Services when it is upgraded from a previous release (for example, 9.0.0). The Configuration Utility determines whether the Shared Services installation is new or upgraded. The product selection page indicates whether Shared Services was specified as an upgrade during the Shared Services installation process.

All configuration tasks are available for upgraded products; however, if an upgraded product is configured for a relational database, the database configuration page is read-only except for the password.

If you are upgrading Shared Services and products, upgrade Shared Services first, separately from other products.

Note: The Configuration Utility is backward compatible with previous releases (9.0.x and higher) and can be used to configure Shared Services for those releases.

Launching the Configuration UtilityYou must run the Configuration Utility on each machine to which a product is installed. The utility can be launched from a product installer or independently.

Note: Before beginning configuration on UNIX platforms, set the number of operating system file descriptors to at least 1024 to avoid possible issues with application server deployment. See your operating system documentation for information on using the Limit command to increase this setting.

➤ To launch the Configuration Utility:

1 Choose a method:

● On the last page of the Shared Services installer, select the option to launch the Configuration Utility.

● On Windows, choose a method:

❍ From Start, select Programs > Hyperion > Foundation Services > Configuration Utility.

❍ Double-click the configtool.bat file from:

%HYPERION_HOME%\common\config\


❍ From a Windows console, change to this directory:

%HYPERION_HOME%\common\config\

Then type:

startconfigtool.bat -console

● On UNIX, choose a method:

❍ In XWindows, change to this directory:

$HYPERION_HOME/common/config/

Then type:

configtool.sh

❍ In a UNIX console, change to this directory:

$HYPERION_HOME/common/config/

Then type:

configtool.sh -console

Note: If you are running the Configuration Utility in console mode, follow the command-line prompts.

2 On the welcome page, click Next.

3 From the list of installed products, select Shared Services and click Next.

A list of configuration tasks is displayed.

4 Follow the instructions for configuration tasks, as appropriate:

● “Configuring Relational Storage” on page 44

● “Configuring the Mail Server” on page 46

● “Deploying Shared Services to an Application Server” on page 47

Note: You can select multiple tasks in one session. For Shared Services, Hyperion recommends you deploy the relational database and the application server together. However, if you decide to deploy them separately, deploy the application server first and then the relational database.

Configuring Relational StorageWhen you configure Shared Services to use a database, the Configuration Utility checks for connectivity to the database and ensures that the database is a supported database type. If an existing database is detected, you may be prompted to re-use the database or create a new one.

For a list of supported databases for this release, see “Software Requirements” on page 22. For database prerequisites, see “Prerequisites” on page 42.

Note: A MySQL database is installed automatically with Shared Services. During configuration, you can specify the database name, username, and password to use.

Configuring Relational Storage 45

➤ To configure a database:

1 Launch the Configuration Utility.

See “Launching the Configuration Utility” on page 43.


3 On the task selection page, select Relational Storage Configuration and click Next.

4 From the list of supported databases, select the database and click Next.

The relational storage configuration details page is displayed.

Note: If you are configuring a product upgrade, the fields on this page are read-only except for the password.

5 Specify database information:

6 Click Next.

7 If a database is detected, select one of the following options:

● Drop all tables and create a new repository

● Reuse the existing repository (select this option if upgrading)

Note: If a database is detected, after running the Configuration Utility, Hyperion requires that you run the Sync OpenLDAP Utility to synchronize the differences between the relational repository and the OpenLDAP database. Selecting these database options does not synchronize the data automatically. For instructions, see “Sync OpenLDAP Utility” on page 201.

8 Click Next to go to the next configuration task or to finish.

Table 2 Database Configuration Fields

Server Enter the computer name of the server hosting the database.

Port Specify the server port number on which the database listens, or accept the default port:

● DB2—50000

● Oracle—1521

● SQL Server—1433

● MySQL—3306

Product Displays the name of each product being configured and its install location. This field cannot be changed.

Database or SID (Oracle only) Enter the database name or the Oracle System Identification (database instance). You can enter only English alphanumeric characters and the dash character (-).

Username Enter the name of the database owner.

Password Enter the password of the database owner.


Changing the Database Password

➤ To change the password for the database owner (as specified during configuration):

1 Change the user’s password externally in the database.

Note: For MySQL, you do not have to change the password in the database; you can change it using only the Configuration Utility.

2 Stop the Shared Services server.

See “Stopping Shared Services” on page 52.




5 On the task selection page, select Relational Storage Configuration and click Next.

6 From the list of supported databases, select the database and click Next.

The relational storage configuration details page is displayed.

7 For Password, enter the new password for the user.

Note: If you also change the username to a different database owner, data is not migrated with the new user.

8 Click Next.

9 At the prompt to create a new repository or to reuse the existing repository, select Reuse the existing repository.

10 Select Next and then Finish.

The Configuration Utility updates the appropriate configuration files with the new password.

11 Start the Shared Services server.

See “Starting Shared Services” on page 50.

Configuring the Mail ServerYou must configure the mail server if you plan to use the Shared Services taskflow management system to manage tasks.

Note: The manage tasks functionality is described in the administrator’s and user’s guides for the products that support the Shared Services taskflow management system.

Shared Services requires you to configure the mail server setting by identifying the Simple Mail Transfer Protocol (SMTP) server.

Deploying Shared Services to an Application Server 47

➤ To configure the mail server:

1 For SMTP Mail Server, enter the name of the SMTP mail server.

For example, on UNIX-based systems, sendmail might be the SMTP server for e-mail. On Windows systems, Exchange might be the mail server. Other common mail server programs are qmail and Exim.

2 Click Next to go to the next configuration tasks or to exit.

Deploying Shared Services to an Application ServerThe Configuration Utility enables you to deploy Shared Services to an application server that is installed on the Shared Services machine.

To view the list of supported application servers for this release, see “Software Requirements” on page 22.

Caution! On UNIX platforms, if you are using IBM WebSphere application server, use the same account to install, deploy, and execute Hyperion products that you use to install WebSphere. Using the same account ensures that products are deployed successfully.

➤ To deploy Shared Services to an application server:




3 On the task selection page, select Application Server Deployment and click Next.

4 From the list of supported application servers, select the application server and click Next.

A page is displayed that is specific to the selected application server.

5 Specify application server information:


Table 3 Application Server Configuration Fields

Location Enter the path to the application server directory, or browse to the directory.

For example:

● For WebSphere Base—

c:\WebSphere\AppServer on Windows

or

/opt/WebSphere/AppServer on UNIX

● For WebSphere Express—

c:\IBM\WebSphere\Express51\AppServer on Windows

or

/opt/IBM/WebSphere/Express51/AppServer on UNIX

● For WebLogic—

c:\bea\weblogic81 on Windows

or

/opt/bea/weblogic81 on UNIX

For WebSphere, the Configuration Utility verifies that the specified WebSphere directory and the WebSphere temporary directory are set with Write permission. Write permission must be assigned before running the Configuration Utility.

BEA Home (WebLogic only) For WebLogic, enter the path to the BEA Home directory (for example, c:\bea), or browse to and select the location.

Username and Password (WebLogic only)

Enter your WebLogic username and password.

Deploy as service Select this checkbox if you want to deploy as a manual Windows service.

In the Windows service control panel, the service name is listed as:

Hyperion <Product> <AppServer><Version#>

For example:

Hyperion SharedServices9 WAS51

Manual Deployment Select this checkbox to manually deploy to the application server. The Configuration Utility creates the necessary Web archives (EAR or WAR) to enable manual deployment at a future time. For more information, see the appendix for the application server you are using.

Component Displays the name of each product or component being configured. This field cannot be changed. For example, if you are configuring Hyperion Reporting and Analysis, Intelligence and Web Analysis components may appear in this column. For products such as Essbase Administration Services, the product name appears as the component.

ServerName Enter the name of the server where you can access the deployed product. You can enter only English alphanumeric characters and the dash character (-).

Postconfiguration Tasks 49

Note: For all application servers, if you chose to deploy automatically rather than manually, the Configuration Utility checks server disk space when starting deployment to ensure that the size of the EAR or WAR file (as specified in the product configuration file) is available for deployment. If the Configuration Utility indicates the available disk space is inadequate, you must specify a different location for storage of the EAR or WAR files in the product configuration file and then repeat the automatic deployment process. On WebSphere, if you chose to deploy automatically rather than manually, the Configuration Utility checks server disk space for the java.io.tempdir folder when starting deployment to ensure that at least four times the size of the EAR or WAR file (as specified in your product configuration file) is available for deployment. If the available disk space on the server is inadequate, the Configuration Utility relocates the java.io.tempdir file to the HYPERION_HOME\temp directory (HYPERION_HOME/temp directory for UNIX). After deployment is completed, the folder is automatically deleted.

6 Click Next to view configuration status.

7 Click Next to go to the next configuration task or to finish.

Postconfiguration TasksThis section provides instructions for postconfiguration tasks:

● “Backing Up Shared Services Configuration Files” on page 49

● “Starting Shared Services” on page 50

● “Deploying WebLogic When Connected Through a Proxy Server” on page 53

● “Enabling HTTPS for WebLogic” on page 53

● “Updating the Default Session Timeout for WebLogic 8.1 on HP-UX” on page 54

Backing Up Shared Services Configuration FilesHyperion recommends that you back up Shared Services configuration files in case of failure. If configuration files are not backed up, upon recovery, you must reconfigure Shared Services.

See Appendix E, “Shared Services Backup and Recovery.”

Port If you want to change the default port number that was set during installation, specify a different port number here. Otherwise, accept the default port number. The port number must not exceed 65535. Hyperion recommends using a port number greater than 1025 to avoid conflicts with third-party port assignments.

Each application port number must be unique. For a list of default port numbers, see “Port Numbers Used By Hyperion Products” on page 27.

Domain (WebLogic only) Enter the name of the domain where you can access the deployed product. You can enter only English alphanumeric characters.

Table 3 Application Server Configuration Fields


Starting Shared ServicesThis section describes how to start Shared Services if you did not deploy the Shared Services application server as a Windows service. If you deployed the Shared Services application server as a Windows service, start the service without restarting the computer, start the service manually from Windows control panel (Administrative Tools > Services).

➤ To start Shared Services server:

1 Choose a method:

● On Windows, select Start > Programs > Hyperion > Foundation Services > Start Shared Services.

The menu item indicates which application server the Shared Services server is deployed to.

● Execute the startup script:

Application Server Path to Script

IBM WebSphere Windows:

<HSS_HOME>\AppServer\InstalledApps\<AppServName>\<version>\SharedServices9\bin\startSharedServices9.bat

UNIX:

<HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/SharedServices9/bin/startSharedServices9.sh

BEA WebLogic Windows:

<HSS_HOME>\AppServer\InstalledApps\<AppServName>\<version>\SharedServices9\startSharedServices.bat

UNIX:

<HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/SharedServices9/startSharedServices.sh

Oracle Windows:

<OracleInstallDir>\bin\emctl start iasconsole<OracleInstallDir>\opmn\bin\opmnctl startall

UNIX:

<OracleInstallDir>/bin/emctl start iasconsole<OracleInstallDir>/opmn/bin/opmnctl startall

Apache Tomcat Windows:

<HSS_HOME>\AppServer\InstalledApps\<AppServName>\<version>\SharedServices9\bin\startSharedServices9.bat

UNIX:

<HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/SharedServices9/bin/startSharedServices9.sh

Note: <HSS_HOME> is the directory where Shared Services is installed; for example, c:\hyperion\SharedServices\9.2.

Verifying Successful Startup 51

Verifying Successful Startup

➤ To verify successful startup and configuration of Shared Services:

1 Look for the following confirmation messages in the Shared Services console window during startup:

● Database Configuration Test Passed

● Security System Initialized Successfully

● Shared Services Initialized Successfully

On UNIX, when Shared Services is deployed to the Tomcat application server, these confirmation messages are logged to the following file: <HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/ SharedServices9/logs/Catalina.out

When Shared Services is deployed to WebSphere, these confirmation messages are logged to the following file:

● Windows:

<WebSphereInstallDir>\AppServer\logs\SharedServices9\SystemOut.log

● UNIX:

<WebSphereInstallDir>/AppServer/logs/SharedServices9/SystemOut.log

On UNIX and Windows, when Shared Services is deployed to WebLogic, these confirmation messages are also logged to the following file, unless the log level is set to WARN:

● Windows:

<HSS_HOME>\AppServer\InstalledApps\WebLogic\8.1\SharedServices9\ logs\SharedServices_Metadata.log

● UNIX:

<HSS_HOME>/AppServer/InstalledApps/WebLogic/8.1/SharedServices9/ logs/SharedServices_Metadata.log

2 On the Shared Services server computer, launch the User Management Console login page using one of these methods:

a. Open a browser and enter this URL:

http://SharedServicesServerName:port#/interop

where SharedServicesServerName is the name of the computer where the Shared Services server is installed and port# is the Shared Services server port number. The default port number is 58080; if Shared Services server is installed to a non-default port, specify that value. For example, using the default port:

http://jdoe:58080/interop/

Note: As a best practice when accessing User Management Console on the machine where the Shared Services server is running, the URL to access the console should always use an IP address or a fully qualified machine name that includes the domain name. If the IP address is dynamic, use the fully qualified machine name.


b. On Windows, select Start > Programs > Hyperion > Foundation Services > User Management Console.

If the User Management Console login page is displayed, Shared Services server is started successfully.

Stopping Shared ServicesThis section describes how to stop Shared Services if you did not install the Shared Services application server as a Windows service. If you installed the Shared Services application server as a Windows service, use Windows control panel to stop Shared Services server.

➤ To stop Shared Services server, choose a method:

● On Windows, select Start > Programs > Hyperion > Foundation Services > Stop Shared Services.

The menu item indicates which application server the Shared Services server is deployed to.

● Execute the stop script:

Application Server Path to Script

IBM WebSphere Windows:

<HSS_HOME>\AppServer\InstalledApps\<AppServName>\<version>\SharedServices9\bin\stopSharedServices9.bat

UNIX:

<HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/SharedServices9/bin/stopSharedServices9.sh

BEA WebLogic Windows:

<HSS_HOME>\AppServer\InstalledApps\<AppServName>\<version>\SharedServices9\stopSharedServices.bat

UNIX:

<HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/SharedServices9/stopSharedServices.sh

Oracle Windows:

<OracleInstallDir>\bin\emctl stop iasconsole<OracleInstallDir>\opmn\bin\opmnctl stopall

UNIX:

<OracleInstallDir>/bin/emctl stop iasconsole<OracleInstallDir>/opmn/bin/opmnctl stopall

Apache Tomcat Windows:

<HSS_HOME>\AppServer\InstalledApps\<AppServName>\<version>\SharedServices9\bin\stopSharedServices9.bat

UNIX:

<HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/SharedServices9/bin/stopSharedServices9.sh

Note: <HSS_HOME> is the directory where Shared Services is installed; for example, c:\hyperion\SharedServices\9.2.

Verifying Successful Startup 53

Using the FORCESHUTDOWN Command on WebLogicOn WebLogic, if Shared Services server cannot be shut down gracefully, a message is displayed that suggests using the FORCESHUTDOWN command to override inflight work and shut down the server.

➤ To use the FORCESHUTDOWN command to stop Shared Services server:

1 Open the stop script in a text editor.

See “Stopping Shared Services” on page 52 for the stop script location.

2 Find SHUTDOWN in the file and replace it with FORCESHUTDOWN.

3 Save and execute the file.

Deploying WebLogic When Connected Through a Proxy ServerIf you are deploying a product to WebLogic via a proxy server, this process is automated; you do not need to complete additional manual steps for the deployment.

Enabling HTTPS for WebLogic

➤ To enable HTTPS support on WebLogic:

1 Deploy Shared Services on WebLogic using Hyperion Configuration Utility.

For instructions see, “Deploying Shared Services to an Application Server” on page 47.

2 Open this file in a text editor:

HSS_HOME\SharedServices\9.2\AppServer\InstalledApps\WebLogic\ 8.1\SharedServices9\config.xml

3 Add an attribute Enabled=”true” in the SSL tag as follows:

<Server ..........><SSL Enabled=”true” ........../>

</Server>

4 Save and close the file.

5 Start the Shared Services server on WebLogic.

6 Log on to the WebLogic Administration Console:

a. Open a browser and set the address to http://servername:portno/console where servername and portno are the server and port (specified during installation) on which the WebLogic server is running; for example, http://localhost:58080/console.

b. Specify the username and password as follows:

❍ Username: system

❍ Password: weblogic

7 In the left frame, select SharedServices9 > Servers > SharedServices.


8 In the right frame, click the Configuration tab and select the Keystores & SSL sub-tab.

9 Click the Change link for Keystore Configuration.

10 In Specify Keystore Type, for Keystores, select Demo Identity and Demo Trust (if not selected) and click Continue.

Note: In this scenario, the Demo keystore files that come bundled with WebLogic are used.

11 On the Keystore & SSL tab, click Apply.

12 Restart Shared Services server on WebLogic.

HTTPS is enabled on port 7002. You can access Shared Services using the following URL:

https://servername:7002/interop

Updating the Default Session Timeout for WebLogic 8.1 on HP-UXFor HP-UX, Shared Services deployments to WebLogic 8.1 servers can take over 30 minutes to shut down the application server. This is because the default session timeout for WebLogic applications is 3600 seconds (1 hour). To enable quicker shut downs, you can limit session timeouts. Session timeouts are limited by adding a TimeoutSecs parameter to the weblogic.xml configuration file located in <HSS_InstallLocation>/AppServer/ InstalledApps/WebLogic/8.1/SharedServices9/interop/WEB-INF/.

Add this section to the <session-param> section of weblogic.xml:

<param-name>TimeoutSecs</param-name>

<param-value>timeout value in seconds</param-value>

For example:

<session-param>

<param-name>TimeoutSecs</param-name>

<param-value>120</param-value>

</session-param>

ReconfigurationThe Configuration Utility enables you to reconfigure Shared Services multiple times. Reconfiguration procedures are identical to the initial configuration procedures. Launch the Configuration Utility, select Shared Services, and repeat the procedures. Select the options that you want to change and follow the prompts to enter the required information.

Configuration Troubleshooting 55

Configuration TroubleshootingBecause the Configuration Utility separates configuration from product installation, the task of tracking and correcting configuration errors is simplified. The Configuration Utility logs configuration errors and warning messages to a log file, configtool.log, in a central location:

● Windows: %HYPERION_HOME%\common\config\logs

● UNIX: $HYPERION_HOME/common/config/logs

Uninstalling Shared Services and Hyperion Hub 57

C h a p t e r

6Uninstalling Shared Services and

Hyperion Hub

This chapter explains how to uninstall Shared Services and Hyperion Hub.

In This Chapter About Uninstalling Shared Services and Hyperion Hub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Uninstalling Shared Services and Hyperion Hub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

58 Uninstalling Shared Services and Hyperion Hub

About Uninstalling Shared Services and Hyperion HubShared Services provides a cross-platform uninstaller program that helps you remove Shared Services or Hyperion Hub from your system.

The uninstaller does not remove common components residing in the HYPERION_HOME\common directory, nor does it uninstall the database that contains data.

Note: If you installed an earlier release of Shared Services or Hyperion Hub, you do not need to uninstall it before installing this release.

Uninstalling Shared Services and Hyperion HubBefore uninstalling Shared Services or Hyperion Hub, stop all activities and processes tied to Shared Services or Hyperion Hub, including the application server, database, and servers related to Shared Services or Hyperion Hub, except if you are using IBM WebSphere as the Web application server. WebSphere should be left running because it removes files during uninstallation.

Uninstalling Hyperion Hub Release 7.0

➤ To uninstall Hyperion Hub Release 7.0:

1 Launch the uninstaller for your platform:

● Windows—c:\Program Files\Hyperion\HyperionHub\7.0\uninstall\ uninstallHyperionHub7.0.exe

● UNIX—/home/username/Hyperion/hyperionhub/7.0/uninstall/ uninstallhyperionhub7.0.bin

Note: On Windows platforms, you can also uninstall from the Control Panel (Add/Remove Programs).

2 Follow the uninstallation prompts.

Uninstalling Hyperion Hub Release 7.0.1

➤ To uninstall Hyperion Hub Release 7.0.1:


● Windows—c:\Program Files\Hyperion\HyperionHub\7.0.1\uninstall\ uninstallHyperionHub7.0.exe

● UNIX—/home/username/Hyperion/hyperionhub/7.0.1/uninstall/ uninstallhyperionhub7.0.bin

Uninstalling Shared Services and Hyperion Hub 59



Uninstalling Hyperion Hub Release 7.2.x

➤ To uninstall Hyperion Hub Release 7.2.x:


● Windows—c:\Program Files\Hyperion\HyperionHub\7.2.x\uninstall\ uninstallHyperionHub7.2.exe

● UNIX—/home/username/Hyperion/hyperionhub/7.2.x/uninstall/ uninstallhyperionhub7.2.bin



Uninstalling Shared Services Release 9.2.1

➤ To uninstall Shared Services Release 9.2.1:


● Windows—<HSS_HOME>\uninstall\uninstallHyperionSystemSharedServices.exe

● UNIX—<HSS_HOME>/uninstall/uninstallHyperionSystemSharedServices.bin

where <HSS_HOME> is the directory where Shared Services is installed; for example, c:\hyperion\SharedServices\9.2.


Caution! Uninstalling Japanese and Korean language Hyperion products using the Microsoft Windows Add/Remove Program may cause an operating system crash. To avoid this potential problem when uninstalling, locate the uninstallHyperionSystemSharedServices.exe file (located in <HSS_HOME>\uninstall) and double-click the executable to perform the uninstallation manually.


60 Uninstalling Shared Services and Hyperion Hub

About External Authentication and Single Sign-On 61

C h a p t e r

7About External Authentication

and Single Sign-On

This chapter helps you to set up Hyperion applications to use external authentication and single sign-on. Using external authentication to manage user accounts on Hyperion applications provides two main benefits:

● The established corporate structure of user accounts is employed by Hyperion applications, thus reducing administrative overhead.

● External authentication provides for single sign-on to Hyperion applications, which eliminates the need for users to log on multiple times with multiple usernames and passwords.

In This Chapter About External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

About Single Sign-On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

About Support for SiteMinder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

External Authentication and Single Sign-On Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

62 About External Authentication and Single Sign-On

About External AuthenticationExternal authentication means the user login information needed by Hyperion applications is stored outside the applications. The information is maintained in a central authentication directory, such as Lightweight Directory Access Protocol (LDAP) Directory, Microsoft Active Directory (MSAD), Windows NT LAN Manager (NTLM), or SAP.

An authentication directory is a centralized store of user and perhaps corporate information. The directory functions like a telephone directory. It can contain much more than usernames and passwords; for example, it may include e-mail addresses, employee IDs, job titles, access rights, and telephone numbers. It may also contain corporate information; for example, it may contain information about corporate locations or other entities.

Note: Users with blank passwords are not supported.

To use external authentication for Hyperion applications, your organization must have an authentication directory containing corporate user information. Additionally, you must modify the XML-based security configuration file associated with your product to specify correct information pertaining to your corporate authentication directory.

The following types of authentication repositories are supported:

● NTLM on Windows 2000 and Windows 2003

● LDAP version 3 or higher

● MSAD on Windows 2000 and Windows 2003

● SAP Enterprise Portal, SAP R/3, SAP BW

For information about external authentication concepts, see “External Authentication and Single Sign-On Terminology” on page 64.

About Single Sign-OnSingle sign-on enables users to access multiple Hyperion products after logging on only once. When an externally authenticated user logs on a Hyperion product, an encrypted token is generated. The token contains the user credentials in the form of the username, and in some cases, the password. The presence of a password in the token depends on the configuration. If you are using a trusted authentication directory, no password is present or required in the token.

About Support for SiteMinder 63

As shown in the following figure, the token is passed among other Hyperion products and is used as needed to reauthenticate the user automatically when the user moves to another application. Single sign-on is effective in cases where one Hyperion product launches another. If a user launches a second product independently; for example, from the Start menu—a token cannot be passed between the products, and the user must reauthenticate.

Tokens are encrypted; however, additional security such as Secure Sockets Layer (SSL) protocol is recommended for prevention of replay attacks (a form of network attack in which a data transmission is maliciously or fraudulently repeated or delayed) or man in the middle attacks (an attack in which an attacker is able to read, insert, and modify messages between two parties without the parties knowing the link between them has been compromised).

To enable single sign-on among multiple Hyperion applications that launch one another, you must use one XML configuration file that is shared by the multiple product installations. See Chapter 10, “Configuring External Authentication for Shared Services.”

For information about key single sign-on concepts, see “External Authentication and Single Sign-On Terminology” on page 64.

About Support for SiteMinderIn addition to native Hyperion single sign-on, Hyperion products can be integrated with Web access management solutions such as Netegrity SiteMinder.

Web access management solutions are employed by organizations to manage and enforce authentication, authorization, and single sign-on for Web resources such as JSP, ASP, or HTML files. Web-based Hyperion products support single sign-on from a Web access management solutions provider, also known as a security agent. Integration with a security agent requires configuration of the <securityAgent> element in the XML configuration file.

Note: In this documentation, the terms security agent and Web security agent are interchangeable. They refer to Web access management solutions providers such as Netegrity SiteMinder.

64 About External Authentication and Single Sign-On

The following security agents are tested and supported for single sign-on with Hyperion applications:

● SiteMinder Policy Server 5.5 Service Pack 2

● SiteMinder Web Agent 5.5 Service Pack 2

If your corporation implements SiteMinder to protect company Web resources, you can configure the security platform to require only that users authenticate through SiteMinder, after which they are not required to present credentials again when logging in to Hyperion applications.

For information about configuring the securityAgent element in the XML configuration file, see “Configuring SiteMinder Single Sign-On” on page 96.

For a sample deployment scenario illustrating single sign-on with SiteMinder, see “Single Sign-On with SiteMinder” on page 120.

External Authentication and Single Sign-On TerminologyThe following table defines key external authentication and single sign-on concepts:

Concept Definition

Authentication repository

A centralized, corporate store of user and group information

May also be referred to as directory or provider. The security platform provides built-in support for the following providers: Lightweight Directory Access Protocol (LDAP) Directory, Windows NT LAN Manager (NTLM), Microsoft Active Directory (MSAD), and SAP.

Configuration file The security platform relies on an XML document to be configured by the product administrator or installer of the software

The XML document must be modified to indicate meaningful values for properties, specifying locations and attributes pertaining to the corporate authentication scenario.

External authentication The process of authenticating a user ID and password on an authentication server, such as an LDAP or NTLM server, instead of authenticating with the current server or application

Identity A unique identification of one user or group on an external authentication repository

Security agent A Web access management solutions provider employed by companies to protect Web resources, also known as a Web security agent

The Netegrity product, SiteMinder, is an example of a security agent.

Security platform A framework providing the ability for Hyperion applications to use external authentication and single sign-on

Single sign-on The ability of an externally-authenticated user to access multiple, linked Hyperion applications after logging on to the first application

The user can launch other applications from the first application and from other linked Hyperion applications without logging on again. The username and password are authenticated.

Token An encrypted identification of one user or group on an external authentication system

Implementing Hyperion External Authentication 65

C h a p t e r

8Implementing Hyperion External Authentication

Use Shared Services External Authentication Configuration Console to manage external authentication outside the context of a particular product or application. After you configure Shared Services, you can configure other Hyperion products that use external authentication by referencing the Shared Services configuration.

For Shared Services functionality to be implemented for Hyperion products or applications, each product requires access to a Shared Services server running Shared Services server software and to a database dedicated to Shared Services. For database options, see Chapter 5, “Configuring and Setting Up Shared Services.”

In This Chapter Workflow for Setting Up External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Preparing to Implement External Authentication and Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

66 Implementing Hyperion External Authentication

Workflow for Setting Up External AuthenticationUse the following process to set up external authentication for Hyperion products:

1. From the Oracle® E-Delivery site, download and install Shared Services. See Chapter 4, “Installing and Upgrading Shared Services.”

2. Complete the application server and database configuration steps for Shared Services before proceeding with configuration of external authentication. See Chapter 5, “Configuring and Setting Up Shared Services.”

3. Configure external authentication for Shared Services. See Chapter 10, “Configuring External Authentication for Shared Services.”

4. Download and install the Hyperion products you plan to use.

5. Configure the Hyperion products you use to reference the Shared Services external authentication configuration. See the Hyperion product installation guides for instructions.

6. If you use NTLM authentication, complete the steps described in Chapter 9, “Using NT LAN Manager for External Authentication.”

7. If you use Web Access Management Solutions (Netegrity), complete the steps described in “Configuring SiteMinder Single Sign-On” on page 96.

Preparing to Implement External Authentication and Single Sign-On

You must complete the following tasks before implementing external authentication and single sign-on with Hyperion applications:

1. Decide which Hyperion products and which operating systems the external authentication functionality needs.

See “Software Requirements” on page 22.

Decide which of the supported authentication providers, on which platforms, to make available in the security realm. See “Software Requirements” on page 22.

Web-based Hyperion applications can be used with Netegrity Siteminder version 5.5 or higher in conjunction with the supported directories. For details on installation and configuration of Netegrity Siteminder, see the Siteminder installation documentation at http://www.netegrity.com.

2. Install and configure Shared Services, available on the Oracle® E-Delivery site. See Chapter 4, “Installing and Upgrading Shared Services” and Chapter 5, “Configuring and Setting Up Shared Services.”

After you configure Shared Services for external authentication, you can configure other Hyperion products to use external authentication by referencing the Shared Services configuration. See the product installation guides.

http://www.netegrity.com

Preparing to Implement External Authentication and Single Sign-On 67

3. If your corporation implemented SiteMinder to protect company Web resources, you can configure the security platform to enable single sign-on among Hyperion applications and SiteMinder. See “Configuring SiteMinder Single Sign-On” on page 96 and “About Support for SiteMinder” on page 63.

4. If you are implementing security using an NTLM provider and using UNIX on the computer where the Hyperion application software is installed, ensure Hyperion Remote Authentication Module is installed.

5. Download and install the Hyperion Remote Authentication Module from the Hyperion Download Center. See “Using the Hyperion Remote Authentication Module” on page 103.

6. After the Remote Authentication Module is installed, provide its URL as a value to the remoteServer element in the security platform XML configuration file.

7. If you want to enable authentication of users from multiple Windows domains, but you do not want to set up trust relationships among the domains, install the Hyperion Remote Authentication Module on a separate Windows server. Separate installation enables users of Hyperion applications running on one domain to log on to Hyperion applications on other domains. All domains involved must be running Hyperion applications that are configured to use one Hyperion Remote Authentication Module instance.

68 Implementing Hyperion External Authentication

Using NT LAN Manager for External Authentication 69

C h a p t e r

9Using NT LAN Manager for

External Authentication

The directions in this chapter apply to administrators who want to enable one or more Hyperion applications to use external authentication of users in a Windows NT LAN Manager (NTLM) domain.

In This Chapter Setting Up User Rights for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

UNIX Application Support for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Multiple-Domain Support for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

70 Using NT LAN Manager for External Authentication

Setting Up User Rights for NT LAN ManagerTo enable use of the NTLM provider, access rights are required of the Windows NT user account on which the application or application server runs.

Note: Ensure you set up access rights on the computer on which the application runs, rather than on the NT domain computer.

Additionally, access rights are required for end users. The following access rights are required for external authentication to work with an NTLM provider:

● Access this computer from the network (usually granted to Administrators). End users of Hyperion applications using external authentication require this right.

● Act as part of the operating system (normally not granted to anyone). The account used to run Hyperion application processes requires this right for external authentication to work.

● The logged on user should be a domain user. The user running the application or application server of the Hyperion product should be a domain user rather than a local Windows user.

See one of the following topics, depending on which operating system you use.

● “Setting Up User Rights on Windows 2000” on page 70

● “Setting Up User Rights on Windows 2003” on page 71

Setting Up User Rights on Windows 2000

➤ To set up user rights on Windows 2000:

1 Select Start > Settings > Control Panel > Administrative Tools > Local Security Policy.

This opens the “Local Security Settings” dialog box.

2 In the left frame of Local Security Settings, expand the folder named Local Policies.

3 Click the folder named User Rights Assignment, and, in the right area, double-click the policy named Access this computer from the network.

The “Local Security Policy Setting” dialog box for the “Access this computer from the network” policy is displayed.

4 If the relevant user account has the policy checked, click Cancel and skip to step 9.

5 Click Add.

6 Select the name of the user or group needing the right.

7 Click Add.

8 Click OK.

Setting Up User Rights for NT LAN Manager 71

9 In the right frame, double-click the policy named Act as part of the operating system.

The “Local Security Policy Setting” dialog box for the “Act as part of the operating system” policy is displayed.

10 If the relevant user account has the policy checked, click Cancel and skip the rest of this procedure.

11 Click Add.

12 Select the name of the user or group needing the right.

13 Click Add.

14 Click OK.

Setting Up User Rights on Windows 2003

➤ To set up user rights in Windows 2003:

1 Select Start > Control Panel > Administrative Tools > Local Security Policy.

This opens the “Local Security Settings” dialog box.

2 In the left frame of Local Security Settings, expand the folder named Local Policies.

3 Click the folder named User Rights Assignment, and, in the right area, double-click the policy named Access this computer from the network.

The “Access this computer from the network Properties” dialog box is displayed.

4 If the relevant user account is listed as having this right, click Cancel and skip to step 9.

5 Click Add User or Group.

6 Enter the name of the user or group needing the right.

7 Click OK.

8 In Access this computer from the network Properties, click OK.

9 In the right frame of Local Security Settings, double-click the policy named Act as part of the operating system.

The “Act as part of the operating system Properties” dialog box is displayed.

10 If the relevant user account is listed as having this right, click Cancel and skip the rest of this procedure.

11 Click Add User or Group.

12 Enter the name of the user or group needing the right.

13 Click OK.

14 In Act as part of the operating system Properties, click OK.

15 Close Local Security Settings.

72 Using NT LAN Manager for External Authentication

UNIX Application Support for NT LAN ManagerIf you are implementing external authentication with an NTLM provider and were to support the use of a UNIX computer for the client application or if you must ensure Hyperion Remote Authentication Module is installed on a Windows 2000 server, see Chapter 11, “Using the Hyperion Remote Authentication Module.”

Multiple-Domain Support for NT LAN ManagerIn addition to UNIX application support, Hyperion Remote Authentication Module enables a Hyperion application to authenticate users belonging to other domains that are not trusted by the domain on which the Hyperion application is installed. This removes the necessity to establish trust relationships among the domains.

Therefore, installing Hyperion Remote Authentication Module can be useful to the following groups:

● UNIX application users who must log on using a Windows domain

● Windows users who must log on using multiple Windows domains, although no trust relationships are set up

See Chapter 11, “Using the Hyperion Remote Authentication Module.”

Configuring External Authentication for Shared Services 73

C h a p t e r

10Configuring External

Authentication for Shared Services

This chapter tells administrators how to configure Shared Services to support authentication of users stored in LDAP, MSAD, Windows NTLM, or SAP external authentication providers. Configuration also enables single sign-on for accessing multiple Hyperion applications after logging on only once using external credentials.

In This Chapter How Configuration Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Launching the External Authentication Configuration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Adding or Editing an LDAP or MSAD Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Adding or Editing an NT LAN Manager Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Working with an SAP Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Setting the Search Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Setting the Token Time-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Configuring the Preferred Logging Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Enabling the Security Agent for Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Additional Configuration Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Deleting a Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Notes About User and Group Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Configuring SiteMinder Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Using Secure Sockets Layer (SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

74 Configuring External Authentication for Shared Services

How Configuration WorksTo configure Hyperion products for external authentication and single sign-on, use the Shared Services External Authentication Configuration Console to configure Shared Services for external authentication. After you configure Shared Services and verify that external authentication is successful, configure other products by referencing the Shared Services configuration using Hyperion Configuration Utility.

When you use the Shared Services External Authentication Configuration Console to set up external authentication, the console writes your configuration information to the CSS.xml file packaged with Shared Services. For a sample XML configuration file, see Appendix F, “Sample Configuration XML Files.”

Note: Although Hyperion products include XML files that can be configured separately for external authentication, Hyperion strongly recommends simplifying the configuration by using Shared Services. For information about referencing the Shared Services configuration, see the Hyperion product installation guides.

If you are using an earlier release of a Hyperion product with this release of Shared Services, you must have two versions of the external authentication configuration file (CSS.xml) on your system:

● The current Shared Services configuration file installed with this release of Shared Services

● The Hyperion product configuration file installed with the earlier release of your product

Note: Anytime you update the external authentication configuration, you must restart Shared Services AND all Hyperion products referencing the Shared Services external authentication configuration (including restarting Hyperion product services and servlets).

Launching the External Authentication Configuration ConsoleThe Shared Services External Authentication Configuration Console is installed as part of the Shared Services installation.

➤ To launch the External Authentication Configuration Console:

1 If it is not started, start the Shared Services server.

See “Starting Shared Services” on page 50.

2 Launch the External Authentication Configuration Console by selecting Start > Programs > Hyperion > Foundation Services > External Authentication Configuration Console.

The External Authentication Configuration Console is a Web-browser interface to Shared Services, set to the following address:

http://hostname:portno/interop/framework/login

where hostname and portno are the host and port number on which Shared Services is running, for example,

http://localhost:58080/interop/framework/login

Adding or Editing an LDAP or MSAD Provider 75

3 Enter your user name and password.

The default login information is as follows:

User: admin

Password: password

4 Click Log on.

Adding or Editing an LDAP or MSAD ProviderUse External Authentication Configuration Console to add, edit, and configure LDAP or MSAD providers for external authentication.

Note: When you use External Authentication Configuration Console to make changes to external authentication, the console updates the CSS.xml file located at: <HSS_HOME>\AppServer\InstallableApps\ common, where <HSS_HOME> represents the directory where Shared Services was installed.

➤ To add an LDAP or MSAD provider:

1 Launch Shared Services External Authentication Configuration Console.

2 Click Add.

3 Select LDAP or MSAD, and click Next.

4 Complete the tasks described in the following topics:

● “Naming the Provider Configuration (Required)” on page 75

● “Specifying Hostname, Port, and Base DN (Required)” on page 76

● “Setting a Read-Only User Account or Selecting an Anonymous Bind (Required)” on page 76

● “Specifying the Location of Users (Optional)” on page 77

● “Specifying the Location of Groups (Optional)” on page 77

● “Specifying the Provider Trust Setting (Optional)” on page 77

● “Setting Maximum Result-Set Size (Optional)” on page 79

● “Setting Authorization Type (Optional)” on page 79

● “Completing the Configuration (Required)” on page 79

To edit a provider, click Edit instead of Add, and complete the relevant tasks in the preceding list.

Naming the Provider Configuration (Required)You must provide a configuration name for each external authentication provider. Provider configuration names enable you to distinguish among multiple providers of one type. For example, two LDAP providers might be named ldapserver1 and ldapserver2.


Configuration names do not have to match server names.

➤ To name the LDAP or MSAD configuration:

1 In Name, type a configuration name (for example, ldapServer1 or ldapserver2).

2 Click Save or continue to the next section.

Specifying Hostname, Port, and Base DN (Required)You must indicate the address of the external authentication provider.

➤ To specify the host information:

1 In Hostname, enter the name of the computer hosting the LDAP or MSAD repository.

For example, myHost2.

2 In Port, enter the port number used by the LDAP or MSAD repository; for example, 58089.

3 In Base DN, enter the directory information tree (DIT) section of an LDAP or MSAD URL.

You must include the domainComponent attributes (DCs); for example, DC=company,DC=com.


Shared Services cannot access users and groups from LDAP servers where the root context contains spaces. To work around this problem, after you click Save, modify the root context entry in the external authentication configuration file as shown in the following text.

If the root context is as follows:

ldap://hostName:58089/dc=Engg Dept,dc=com

the entry should be:

ldap://hostName:58089/dc=Engg%20Dept,dc=com

Setting a Read-Only User Account or Selecting an Anonymous Bind (Required)You must provide a default way for Hyperion products to connect to the external authentication directories.

➤ To provide a connection method:

1 Complete one of the following actions:

● In User DN, Password, and Confirm Password, enter the information pertaining to a user account having at least read access to the directory information tree (DIT) specified in the Base DN field (for example, dc=company, dc=com).

This enables a Hyperion product to get user information from the LDAP or MSAD directory when a user attempts to log on to the Hyperion product using external credentials.


● If the administrator configures the directories to provide anonymous access to the directory information tree, select Anonymous bind.


Specifying the Location of Users (Optional)You can identify the location where users are stored in the directory information tree.

Optionally, if you want the provider to search the whole directory specified by the Base DN, skip this section.

➤ To provide the user location:

1 In User URL, enter a value indicating the branch in the directory server containing user entries; for example, ou=People.


Specifying the Location of Groups (Optional)You can identify the location where groups are stored in the directory information tree.

Optionally, if you want the provider to search the whole directory specified by the Base DN, skip this section.

➤ To provide the group location:

1 In Group URL, enter a value indicating the branch in the directory server containing group entries; for example, ou=Groups.


Specifying the Provider Trust Setting (Optional)When set to true, the trust setting means that the user credentials found in a token received by a Hyperion application are not validated against the external authentication repository. This quickens the authentication process.

When the trust setting is true in a single sign-on scenario, these actions occur:

1. Hyperion application 2 receives a token from another Hyperion application 1 that launches it. The password is not part of the token.

2. Hyperion application 2 sends the token to the single sign-on mechanism.

3. The single sign-on mechanism validates the token is constructed properly. (Token decryption and read are successful.)

4. The single sign-on mechanism validates the token has not timed out.

Note: The single sign-on token carries the time the token was created and times out based on the settings provided in the external authentication configuration file. Therefore, ensure the system clock is set correctly.


5. The single sign-on mechanism extracts the identity from the token and validates it exists within the authentication providers.

6. The single sign-on mechanism confirms the user exists within the authentication providers.

7. The single sign-on mechanism returns the identity string to Hyperion application 2 to complete authentication.

When the trust setting is false in one sign-on scenario, additional steps are taken. Steps 4-6 are unique to untrusted providers.

1. Hyperion application 2 receives a token from another Hyperion application 1 that launches it. The password is part of the token.

2. Hyperion application 2 sends the token to the single sign-on mechanism.

3. The single sign-on mechanism validates the token is constructed properly. (Token decryption and read are successful.)

4. The single sign-on mechanism validates the token has not timed out.


5. The single sign-on mechanism extracts the identity and password from the token.

6. The single sign-on mechanism validates the username and the password against the authentication providers indicated in the configuration.

7. The single sign-on mechanism receives an approval or denial to authenticate from the authentication provider.

8. The single sign-on mechanism returns the identity string to Hyperion application 2 to complete authentication.

➤ To specify the provider trust setting:

1 Clear Trusted if this is not a trusted LDAP or MSAD provider, or select Trusted if this is a trusted provider.

● If the trust setting is true, a password is not present or required in the token generated upon user authentication. The user still must log on with a username and password, but the password is not stored in the token.

Note: For an explanation of tokens, see “About External Authentication” on page 62.

● If the trust setting is false, a password is part of the token and is required for this NTLM provider.

Note: If your corporation uses a security agent such as Netegrity SiteMinder to protect company Web resources, the provider must be trusted. See “Configuring SiteMinder Single Sign-On” on page 96


2 Click Save or continue to “Setting Maximum Result-Set Size (Optional)” on page 79.

Setting Maximum Result-Set Size (Optional)You can set the maximum number of entries that can be returned as a result of a request to the authentication provider (for example, a request by a Hyperion application to list users available for login).

➤ To set the maximum result-set size for an LDAP or Active Directory provider:

1 In Maximum Size, enter the maximum number of entries to be returned in a query:

● If Maximum Size is left empty, the default value is 100.

● If Maximum Size is set to 0, the result-set size is unlimited. This may not be advisable, because on very large query results, it might consume too much memory.

2 Select Save or continue to the next section.

Setting Authorization Type (Optional)This configuration topic is relevant if you are using the Secure Sockets Layer (SSL) protocol for secure data transmission to and from the authentication provider.

➤ To set the authorization type, in Authorization Type, leave the default value of Simple, or select SSL enabled if you are implementing Secure Sockets Layer.

See “Using Secure Sockets Layer (SSL)” on page 97.

Completing the Configuration (Required)

➤ To complete the configuration, click Save.

Shared Services writes your configuration changes to the external authentication configuration file (CSS.xml). Restart Shared Services AND Hyperion products referencing the Shared Services external authentication configuration (including restarting Hyperion product services and servlets).

Note: Shared Services cannot access users and groups from LDAP servers where the root context contains spaces. To work around this problem, after you click Save, modify the root context entry in the external authentication configuration file as described in “Specifying Hostname, Port, and Base DN (Required)” on page 76.


Adding or Editing an NT LAN Manager ProviderUse the Shared Services External Authentication Configuration Console to add, edit, and configure Windows NTLM providers for external authentication.

Note: When you use External Authentication Configuration Console to make changes to the external authentication configuration, the console updates the CSS.xml file located at: <HSS_HOME>\AppServer\ InstallableApps\common, where <HSS_HOME> represents the directory where Shared Services was installed.

➤ To add an NTLM provider:

1 Launch External Authentication Configuration Console.

2 Click Add.

3 Select NTLM and click Next.

4 Complete the tasks described in the following topics:

● “Naming the Provider Configuration (Required)” on page 80

● “Specifying the Domain (Optional)” on page 81

● “Specifying a Remote Authentication Module Location (Optional)” on page 81

● “Specifying the Provider Trust Setting (Optional)” on page 82

● “Setting Maximum Result-Set Size (Optional)” on page 82

● “Completing the Configuration (Required)” on page 83

➤ To edit an NTLM provider:


2 Click Edit.

3 Complete the relevant tasks described in the preceding list of topics.

Note: Click Save often to commit your configuration changes to the CSS.xml file.

Naming the Provider Configuration (Required)You must provide a configuration name for each external authentication provider. Provider configuration names enable you to distinguish among multiple providers of one type. For example, two NTLM providers might be named ntlmserver1 and ntlmserver2.

Configuration names do not have to match server names.

➤ To name the NTLM configuration:

1 In Name, enter a configuration name (for example, ntlmServer or ntlmserver2).


Adding or Editing an NT LAN Manager Provider 81

Specifying the Domain (Optional)If a domain is specified, the NTLM provider is responsible for performing operations on that domain. Alternatively, if the domain element is left empty, the provider performs operations on the trusted domains.

If you do not specify a domain element in the configuration file, a search for a user or group that is specified in multiple places returns only the first match. The match order is as follows:

● Local computer

● Domain of local computer

● Trusted domains

For example, if the local computer and the domain of the local computer have an Administrators group and the domain element of the NTLM server is not specified in the external authentication configuration file, all methods that search for the Administrators group return only one. The returned group is the group on the local computer.

Hyperion recommends you specify a domain element in the external authentication configuration file. If a user ID exists with one password in an NTLM repository and another password in another repository (LDAP or MSAD), and NTLM is earlier in the search order, authenticating the LDAP or MSAD user ID can result in a lock out of the NTLM user account. To address this situation, Hyperion recommends you use the provider hint while authenticating a user, if the authentication repository is known.

➤ To specify the NT LAN Manager domain:

1 In Domain, enter the domain name (for example, HYPERION).

Use the name of the Windows domain that your company uses as an authentication provider.


Specifying a Remote Authentication Module Location (Optional)This step applies only if you are supporting the following groups:

● UNIX application users who must log on using a Windows domain. See “UNIX Application Support for NT LAN Manager” on page 72.

● Windows users who must log on using multiple Windows domains although no trust relationships are set up. See “Multiple-Domain Support for NT LAN Manager” on page 72.


➤ To specify the location of the Hyperion Remote Authentication Module:

1 In Host name, enter the host name of the Remote Authentication Module.

2 In Port, enter the port number on which the Remote Authentication Module runs.

The default port number is 58000.

See “Using the Hyperion Remote Authentication Module” on page 103.


Specifying the Provider Trust Setting (Optional)

➤ To specify the provider trust setting:

1 Clear Trusted if this is not a trusted NT LAN Manager provider, or select it if this is a trusted provider.

● If the trust setting is true, a password is not present or required in the token generated upon user authentication. The user still must log on with a user name and password, but the password is not stored in the token.

● If the trust setting is false, a password is part of the token, and this is required for this NTLM provider.

Note: If your corporation uses a security agent such as Netegrity SiteMinder to protect company Web resources, the provider must be trusted. See “Configuring SiteMinder Single Sign-On” on page 96.

See “Specifying the Provider Trust Setting (Optional)” on page 77.


Setting Maximum Result-Set Size (Optional)You can set the maximum number of entries to be returned as a result of a request to the authentication provider (for example, a request by a Hyperion application to list users available for login).

➤ To set the maximum result-set size for an NT LAN Manager provider:

1 In Maximum Size, enter the desired maximum number of entries that can be returned in a query.

● If Maximum Size is left empty, the default value is 100.

● If Maximum Size is set to 0, no results are returned.

Note: The preceding statement is true only for NT LAN Manager. When you use LDAP or Active Directory (MSAD), a maximum size of 0 means the result-set size is unlimited.

2 Continue to the next section.

Working with an SAP Provider 83

Completing the Configuration (Required)

➤ To complete the configuration, click Save.

Shared Services writes your configuration changes to the external authentication configuration file (CSS.xml). Restart Shared Services AND Hyperion products referencing the Shared Services external authentication configuration (including restarting Hyperion product services and servlets).

Working with an SAP ProviderShared Services supports single sign-on (SSO) with SAP by accepting an SAP logon ticket. This enables users defined in an SAP user store that may be synchronized with a corporate directory (LDAP enabled directories such as iPlanet, Active Directory) to seamlessly navigate between SAP (SAP Enterprise Portal, SAP R/3, and SAP BW) and Hyperion applications. If an SAP provider is configured, users can also directly logon to Hyperion applications using the user ID and password stored in the SAP system. The SAP provider creates the SAP logon ticket to enable SSO with SAP systems.

After an SAP provider is configured, the SAP users and activity groups (roles) are displayed when you select the SAP provider in the User Management Console. SAP roles are depicted as groups in the console. You then provision users or groups (roles) with the appropriate Hyperion roles to assign appropriate access privileges to Hyperion applications.

When a user logs into Hyperion applications, Shared Services authenticates the user and issues a login token. When the user accesses the SAP system, the Hyperion application passes the SAP logon ticket contained in the token to SAP to enable SSO.

When a user logs on to the SAP Portal and navigates to Hyperion applications, an SAP logon ticket is passed to Shared Services. Shared Services decrypts the SAP logon ticket using the specified SAP certificate. This is depicted in the following illustration.


If a corporate directory is used by the SAP system as a primary store for user data, Shared Services can enable SSO between Hyperion applications and SAP systems even if an SAP provider is not configured. This requires that the corporate directory used by the SAP system be:

● supported by Shared Services (see Chapter 3, “Planning the Shared Services Installation”)

● included in the search order defined in the provider configuration

In this scenario, Hyperion applications must receive the SAP logon ticket to enable SSO with SAP.

Prerequisites● All SAP systems within the SAP landscape must be set up for single sign-on with the SAP

login ticket. User IDs must be normalized across the SAP landscape so that a user ID in one SAP system refers to the same user across all SAP systems. See the SAP documentation for more information.

● Copy/download the SAP JCo binaries (.dll files for Windows and shared libraries for UNIX) into %HYPERION_HOME%/common/SAP/bin directory. For example: /vol1/Hyperion/common/SAP/bin (UNIX) C:\Hyperion\common\SAP\bin (Windows). These binaries are available in your SAP distribution. You may also download them from the SAP web site.

● Copy/download the SAP JCo archives (.jar files) into %HYPERION_HOME%/common/SAP/lib directory. For example: /vol1/Hyperion/common/SAP/lib (UNIX) C:\Hyperion\common\SAP\lib (Windows). These binaries are available in your SAP distribution. You may also download them from the SAP web site.

● Copy/download the following SAP libraries into %HYPERION_HOME%/common/SAP/lib directory. For example, /vol1/Hyperion/common/SAP/lib (UNIX) C:\Hyperion\common\SAP\lib (Windows). These libraries are required to verify the SAP SSO login ticket provided to Hyperion applications application. You can extract these libraries from the file system of any J2EE Engine 6.30 or higher or from the Enterprise Portal EP60 SP2 or higher by searching through the SDA files containing the libraries. Required only if Hyperion applications are plugged into SAP Enterprise Portal.

❍ com.sap.security.core.jar

❍ com.sap.security.api.jar

❍ sapjco.jar

❍ sap.logging.jar

❍ iaik_jce.jar

❍ iaik_jce_export.jar (if using the export version of the IAIK-JCE libraries)

● Execute the explodejar.bat (Windows) or explodejar.sh (UNIX) script file available in %HYPERION_HOME%/common/SAP/lib directory to extract the contents of the SAP libraries jar files.

Working with an SAP Provider 85

Adding an SAP ProviderUse the Shared Services External Authentication Configuration Console to add, edit, and configure SAP providers for external authentication.

Note: When you use External Authentication Configuration Console to make changes to the external authentication configuration, the console updates the CSS.xml file located at: <HSS_HOME>\AppServer\ InstallableApps\common, where <HSS_HOME> represents the directory where Shared Services was installed.

➤ To add an SAP provider:


2 Click Add.

3 Select SAP and click Next.

4 Enter the appropriate configuration parameters.

Fields that must contain valid parameters are indicated by the asterisk. Refer to Table 4 for detailed information on the parameters you can set in the Configure SAP Provider screen.

Table 4 SAP Provider Parameters

Field/Checkbox Description

Name A unique configuration name for the SAP provider. Used to identify the SAP provider in situations where multiple SAP providers are defined in Shared Services.

SAP Server Name The host name or IP address of the machine where the SAP Server is running.

Client Number The client number of the SAP system to which you want to connect.

System Number The system number (for example, 00) of the SAP System to which you want to connect.

User ID The SAP user ID that Shared Services should use to access the SAP provider. This user must have the access privileges to use Remote Function Calls (RFC) to connect to SAP and access user, activity groups, and their relationship data.

Password The SAP provider password of the user identified in the User ID field.

Max Entries The maximum number of entries that a query to the SAP provider may return. Default is 100.

Pool Size JCo connection pool size.

Pool Name A unique name for the connection pool that should be used to establish a link between Shared Services and the SAP provider.

Language Language for messages, for example error messages, from the SAP System. By default, this is read from the system locale of the computer hosting Shared Services server.

Location of SAP Digital Certificate

The location of SAP X509 certificate. This certificate is used to parse the SAP login ticket and to extract the user ID needed to support SSO. Required only if Hyperion applications are plugged into SAP Enterprise Portal.


5 Click Save.

Provisioning SAP Users/Activity GroupsAfter configuring an SAP provider, SAP users and roles are displayed in the User Management Console. Roles from the SAP system are displayed as distinct groups. Shared Services, however, does not import the relationships that exist between simple and composite roles within the SAP system. Both simple and composite roles can be nested within Hyperion native groups.

You must provision SAP users/roles with appropriate Hyperion roles to provide them access to Hyperion applications. You can:

● Provision SAP users/activity groups by assigning them Hyperion roles

● Add SAP users/activity groups to Hyperion native groups in the Shared Services directory to facilitate administration

Refer to the Shared Services User Management Guide for detailed information on provisioning users/activity groups.

Setting the Search OrderThe search order provides the external authentication mechanism with the ability to access multiple providers in a sequential manner. At least one provider must be in the search order.

Note: If you are using Netegrity SiteMinder to manage and enforce authentication, authorization, and single sign-on for company Web resources, ensure the search order for directories in Shared Services and the search order for directories in Netegrity SiteMinder are the same.

➤ To set the search order of authentication providers:

1 In External Authentication Configuration Console Defined Providers, select a provider and take one or more of the following actions:

● Click Add to place a provider in the search order. If a provider is left out of the search order, it cannot be used for authentication.

● Click Move Up to give the provider a higher priority in the search order. The first priority is 1.

Hyperion recommends you place the provider containing the most users of Hyperion applications first in the search order.

SSL Enabled Select this checkbox if the secure socket layer (SSL) is to be used to communicate between Shared Services and the SAP provider.

Trusted Select this checkbox if authentication by SAP ticket is required.

Table 4 SAP Provider Parameters

Field/Checkbox Description

Configuring the Preferred Logging Priority 87

● Click Move Down to give the provider a lower priority in the search order. The last priority is represented by the highest number.

● Click Remove to remove a provider from the search order.

At least one provider must remain in the search order. The providers you remove from the search order are not included as potential authentication sources.

2 Click Save.

Shared Services writes your configuration changes to the external authentication configuration file (CSS.xml).

3 Restart Shared Services AND Hyperion products referencing the Shared Services external authentication configuration (including restarting Hyperion product services and servlets).

Setting the Token Time-OutWhen an externally authenticated user logs on to a Hyperion application, a token is generated to contain the login credentials. You can configure the token to expire after a specified number of minutes other than the default of 480 minutes (8 hours).


➤ To define the length of time a token is valid:

1 In the Additional Configuration section of the External Authentication Configuration Console, locate Token Timeout, enter how many minutes should pass before a user is required to reauthenticate in Token Timeout.

2 Click Save.



Configuring the Preferred Logging PriorityYou can adjust the level of authentication-related messages you want all participating Hyperion applications to log.

➤ To configure the error level setting for applications supporting external authentication and single sign-on:

1 In the Additional Configuration section of the External Authentication Configuration Console, locate Logging Level.

2 In Logging Level, select the level of reporting Hyperion applications are to use when logging external authentication activities.


In the following list of values, each level includes the levels below it:

● DEBUG includes extensive information useful for debugging.

● INFO includes information on the status of operations and requests.

● WARN includes cautionary information, if relevant, for some operations and requests.

● ERROR includes only statements pertaining to failed operations and requests.

● FATAL includes only information about errors resulting in a disconnection.

The name of the log file is SharedServices_Security_Client.log, and it is stored in the temp directory of the operating system.

3 Click Save.



Enabling the Security Agent for Single Sign-OnFor Web-based Hyperion products, single sign-on integration with Netegrity SiteMinder is available. SiteMinder is a Web access management solutions provider employed by companies to manage and enforce authentication, authorization, and single sign-on for company Web resources. After SiteMinder authenticates a user, the Hyperion security platform enables single sign-on for the user into a Web-based Hyperion application without challenging the user for credentials.

➤ To enable integration with the security agent for single sign-on:

1 In the Additional Configuration section of External Authentication Configuration Console, select Support Security Agent for Single Sign-on.

2 Click Save.



Additional Configuration ElementsThe following optional configuration elements are not currently available using the Shared Services External Authentication Configuration Console. If you must use the following configuration elements, edit the Shared Services external authentication configuration file (CSS.xml) directly using a text editor. Do not edit the file until after you complete the preliminary configuration using the Shared Services console. Additionally, Hyperion recommends backing up the CSS.xml file before editing it directly.

Additional Configuration Elements 89

The CSS.xml file is located at <HSS_HOME>\AppServer\InstallableApps\common

where <HSS_HOME> represents the directory where Shared Services was installed.

Caution! Be sure to save your changes to the CSS.xml file before closing the text editor and before using the Shared Services External Authentication Configuration Console again.

Before continuing, it is recommended you examine the structure of the sample CSS.xml files in Appendix F, “Sample Configuration XML Files.”

This section contains the following topics:

● “Configuring the User Login Attribute (Optional, LDAP/MSAD Only)” on page 89

● “Configuring the User First-Name Attribute (Optional, LDAP/MSAD Only)” on page 90

● “Configuring the User Surname Attribute (Optional, LDAP/MSAD Only)” on page 91

● “Configuring the User E-mail Attribute (Optional, LDAP/MSAD Only)” on page 91

● “Adding Custom User Object-Class Entries (Optional, LDAP/MSAD Only)” on page 92

● “Configuring the Group Name Attribute (Optional, LDAP/MSAD Only)” on page 93

● “Adding Custom Group Object-Class Entries (Optional, LDAP/MSAD Only)” on page 93

● “Adding Referral Support (Optional, MSAD Only)” on page 94

Configuring the User Login Attribute (Optional, LDAP/MSAD Only)With the user login attribute, you can specify a directory attribute that uniquely identifies all relevant user entries.

➤ To configure the user login attribute:

1 Add a User section to the Provider section of the XML if one does not exist, and add a loginAttribute element to the User section. The tags should be nested as follows, with the additions shown in bold:

<spi> <provider> <ldap name="ldapserver"> ... <user> <loginAttribute></loginAttribute> </user> ... </ldap> </provider><spi>

2 Between the <loginAttribute></loginAttribute> tags, enter the value of an attribute in the directory that uniquely identifies user entries.


The attribute may be part of the DN, such as uid or cn, or a customized attribute, such as employee_ID, or another attribute commonly used in the directory nodes of users. If the <loginAttribute> section is deleted, the default value is uid, as shown in this sample:

<loginAttribute>uid</loginAttribute>

The sample is correct if all user names are identified by uid = UserName.

3 Save the CSS.xml file.


Configuring the User First-Name Attribute (Optional, LDAP/MSAD Only)You can use the first-name attribute to specify the directory attribute associated with first-name entries in the directory.

➤ To configure the user first-name attribute:

1 Add a User section to the Provider section of the XML if one does not exist, and add a fnAttribute element to the User section. The tags should be nested as follows, with the additions shown in bold:

<spi> <provider> <ldap name="ldapserver"> ... <user> <fnAttribute></fnAttribute> </user> ... </ldap> </provider><spi>

2 Between the <fnAttribute></fnAttribute> tags, enter the value of an attribute associated with first-name entries in the directory. If the fnAttribute element is not used, the default value for the first-name attribute is givenname.




Configuring the User Surname Attribute (Optional, LDAP/MSAD Only)You can use the surname attribute to specify the directory attribute associated with last-name entries in the directory.

➤ To configure the user surname attribute:

1 Add a User section to the Provider section of the XML if one does not exist, and add an snAttribute element to the User section. The tags should be nested as follows, with the additions shown in bold:

<spi> <provider> <ldap name="ldapserver"> ... <user> <snAttribute></snAttribute> </user> ... </ldap> </provider><spi>

2 Between the <snAttribute></snAttribute> tags, enter the value of an attribute associated with last-name entries in the LDAP directory. If the surname attribute is not used, the default value is sn.



Configuring the User E-mail Attribute (Optional, LDAP/MSAD Only)You can use the e-mail attribute to specify the directory attribute associated with e-mail addresses stored as entries in your corporate directory.

➤ To configure the user e-mail attribute:

1 Add a User section to the Provider section of the XML if one does not exist, and add an emailAttribute element to the User section. The tags should be nested as follows, with the additions shown in bold:

<spi> <provider> <ldap name="ldapserver"> ... <user> <emailAttribute></emailAttribute> </user> ... </ldap> </provider><spi>


2 Between the <emailAttribute></emailAttribute> tags, enter the value of an attribute mapped to e-mail addresses stored in your corporate directory. If the e-mail attribute is not used, the default value is mail.



Adding Custom User Object-Class Entries (Optional, LDAP/MSAD Only)You can add custom elements to the CSS.xml file if your corporate directory schema requires specialized object classes to describe users and those object classes are not present in the entries.

➤ To add custom user object classes:

1 Add a User section to the Provider section of the XML if one does not exist, and add one or more objectclass and entry elements to the User section. The tags should be nested as follows, with the additions shown in bold:

<spi> <provider> <ldap name="ldapserver"> ... <user> ... <objectclass> <entry></entry> </objectclass> ... </user> ... </ldap> </provider><spi>

2 Add a value to each <entry> element.

The provided (default) user object classes for LDAP are person, organizationalPerson, and inetOrgPerson.

The provided (default) user object classes for Active Directory are person, organizationalPerson, and user.




Configuring the Group Name Attribute (Optional, LDAP/MSAD Only)You can use the group name attribute to specify a directory attribute uniquely identifying all relevant group entries.

➤ To configure the group name attribute:

1 Add a Group section to the Provider section of the XML if one does not exist, and add a nameAttribute element to the Group section. The tags should be nested as follows, with the additions shown in bold:

<spi> <provider> <ldap name="ldapserver"> ... <group> <nameAttribute></nameAttribute> </group> ... </ldap> </provider><spi>

2 Between the <nameAttribute></nameAttribute> tags, enter the value of an attribute in the corporate directory through which a group entry can be discovered. If the group name attribute is not used, the default value is cn.

For example, following configuration means the group names containing the relevant user entries are using the Common Name attribute:

<nameAttribute>cn</nameAttribute>



Adding Custom Group Object-Class Entries (Optional, LDAP/MSAD Only)You can add custom elements to the CSS.xml file if your corporate directory schema requires specialized object classes to describe groups and those object classes are not present in the entries.

➤ To add custom group object classes:

1 Add a Group section to the Provider section of the XML if one does not exist, and add one or more objectclass and entry elements to the Group section. The tags should be nested as follows, with the additions shown in bold:

<spi>

<provider> <ldap name="ldapserver"> ...


<group> ... <objectclass> <entry></entry> </objectclass> ... </group> ... </ldap> </provider><spi>

2 Add a value to each <entry> element.

The provided (default) group object classes for LDAP are groupofuniquenames?uniquemember and groupOfNames?member.

The provided (default) group object class for Active Directory is group?member.

For additional entries, the <entry> tag values must be of the format ObjectClassName?AttributeName; for example: <entry>group?member</entry>. Where group is the name of the objectClass and member is the attribute holding the distinguished Name of the member of this group.



Adding Referral Support (Optional, MSAD Only)Referrals are used to collect information from multiple servers and present it in a single namespace. For example, if a company is acquired and the directories are yet to be integrated, but users from both companies need to be listed whenever a directory search is performed.

Note: Because there are performance implications when you activate this setting, Hyperion provides an option whether to turn this setting on or off.

The <property></property> element enables the use of referrals in MSAD. MSAD referral entries are ignored unless this setting is added to the configuration file.

➤ To add support for referrals:

1 Add a Property section to the end of the msad Provider section of the XML, following the closing <group> tag. Include the keys and values shown. The tags should be nested as follows, with the additions shown in bold:

Notes About User and Group Names 95

<spi> <provider> <msad name="msadServer"> ... <user> ... </user> <group> ... </group> <property> <key>com.hyperion.css.followReferral</key> <value>true</value> </property> </msad> </provider><spi>



Deleting a ProviderDeleting a provider permanently removes the provider from the configuration.

Note: Remove removes the provider from the search order but not from the configuration.

➤ To delete a provider:

1 Launch the External Authentication Configuration Console.

2 Select a provider and click Delete.

Notes About User and Group NamesThe at symbol (@) is a reserved character used to delineate the user name or group name from the provider name.

For example:

username@providerName => jblow@ntlmServer groupname@providerName => marketing@ntlmServer

If a user name or group name contains @, the characters following @ are considered to be the name of a provider registered in the search order. If such a provider name does not exist, an error message is returned.

Additionally, the asterisk character (*) cannot be used in LDAP or MSAD user/group names


Configuring SiteMinder Single Sign-OnFor Web-based Hyperion products, single sign-on integration with Netegrity SiteMinder is available.

SiteMinder is a Web access management solutions provider companies employ to manage and enforce authentication, authorization, and single sign-on for their Web resources.

After SiteMinder authenticates a user, the Hyperion security platform enables single sign-on for the user into a Web-based Hyperion application without challenging the user for credentials.

Configuring the SiteMinder Policy ServerThe SiteMinder administrator must set up protection for the Web resources of the Hyperion application. These resources can be HTML, JSP, ASP files, or other Web-based resource files.

The SiteMinder administrator must configure a response that adds a custom HTTP header. This HTTP header makes a login name available to Hyperion application Web resources. The header must include the parameter HYPLOGIN, and the value of the login name of the authenticated user.

For example, if you use an LDAP directory and cn is the login name attribute in the configuration file, the HYPLOGIN header should carry the cn value of the LDAP authenticated user. SiteMinder administrators can also configure the header to SM_USERLOGINNAME, the username specified by the user during logon.

See the “Responses and Response Groups” section of the Netegrity Policy Design Guide.

Configuring the SiteMinder Web AgentSiteMinder supports a single sign-on environment across Hyperion applications running on heterogeneous web server platforms. If Hyperion applications, including Shared Services, run on different web servers, you must ensure that the SiteMinder cookie can be passed among web servers within the same domain.

➤ In the WebAgent.conf file for each web server, set the “cookiedomain” property, as follows:

Cookiedomain=“.domainName.com”

For example:

Cookiedomain=“.hyperion.com”

For more details, see the “Configuring Web Agents” chapter in the Netegrity SiteMinder Agent Guide.

Because Shared Services uses basic authentication to protect its content, the web server that intercepts requests for Shared Services should enable basic authentication to support single sign-on with SiteMinder.

Using Secure Sockets Layer (SSL) 97

Enabling SiteMinder Authentication in the Shared Services ConfigurationIntegration with SiteMinder requires configuration of the <securityAgent></securityAgent> element in the CSS.xml configuration file.

The CSS.xml file is on the computer hosting Shared Services, at <HSS_HOME>\ AppServer\InstallableApps\common

where <HSS_HOME> represents the directory where Shared Services is installed.

Caution! Do not edit the CSS.xml file until after you finish using Shared Services External Authentication Provider Configuration Console for the preliminary configuration. Additionally, Hyperion recommends backing up the CSS.xml file before editing it directly.

➤ To enable SiteMinder authentication in the Shared Services configuration:

1 Using a text editor, open the CSS.xml file.

2 Above the final line of the file, add a blank line that reads as follows:

</css>

3 In the blank line above </css>, type the following text:

<securityAgent name="NETEGRITY"/>

4 Save and close CSS.xml.

Deployment ExampleFor a sample deployment scenario, see “Single Sign-On with SiteMinder” on page 120.

Using Secure Sockets Layer (SSL)You can use the Secure Sockets Layer (SSL) protocol for secure data transmission to and from the authentication provider.

Tokens are encrypted; however, the additional security of Secure Sockets Layer is recommended for prevention of replay attacks (a form of network attack in which a data transmission is maliciously or fraudulently repeated or delayed) or man in the middle attacks (an attack in which an attacker is able to read, insert, and modify messages between two parties without the parties knowing the link between them has been compromised).

The Hyperion security platform uses the LDAP service provider from Sun to authenticate users

stored externally in an LDAP-compatible directory such as Novell eDirectory, SunTM Open Net Environment (Sun ONE, formerly iPlanet), or MSAD. The LDAP service provider runs on the


Java Virtual Machine for your application. When SSL is used as the secure medium to connect to the directory server, the LDAP service provider of the security platform uses Java Secure Socket Extension (JSSE) software for its SSL support.

Enabling the Use of SSLTo use Secure Sockets Layer, you must select SSL as the authorization type when configuring Shared Services for external authentication.

If you are using Secure Sockets Layer (SSL), you must also complete the following tasks:

● On the directory server, ensure a certificate is installed and available.

● On the Java Virtual Machine that runs your application, create a certificate database if one does not exist.

● On the Java Virtual Machine that runs your application, trust the Certificate Authority (CA) issuing the server certificate.

Note: MSAD sp2 and earlier releases of Hyperion applications are known to have connectivity issues over SSL. Information on resolving such issues is available at this Microsoft Web site: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320711

For information about setting up SSL, see the documentation for your directory server or application server and JRE.

Setting Up SSL on OpenLDAPOpenLDAP requires OpenSSL to be installed to create and verify the certificates. OpenSSL is available at http://www.openssl.org.

➤ To set up SSL on OpenLDAP:

1 Use OpenSSL to create a self signed server certificate. From a command line, enter the following:

openssl req -newkey rsa:1024 -x509 -nodes -out openldap.pem -keyout openldap.pem -days 365

2 Add the following entries to the slapd.conf file:

TLSCertificateFile C:/Hyperion/SharedServices/9.2/openLDAP/openldap.pem

TLSCertificateKeyFile C:/Hyperion/SharedServices/9.2/openLDAP/openldap.pem

TLSVerifyClient never

3 Start the OpenLDAP database.

slapd -d 1 -h "ldap:/// ldaps:///"

slapd -d 1 -h "ldap://:58089 ldaps:///"

This command starts LDAP on port 58089.

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320711

http://www.openssl.org


Consult the OpenLDAP Administrator's Guide for a detailed and up-to-date discussion of TLS/SSL use in OpenLDAP Software.

Setting Up SSL on Apache Tomcat 5.0.28To enable SSL on the Tomcat application server, complete these tasks:

● Create a keystore file on the machine where the Shared Services application server is running. See “Creating a Keystore File” on page 99.

● Map the keystore file to the Tomcat server.xml file. See “Configuring the Tomcat server.xml File” on page 100.

● Modify the hub.properties file to use HTTPS. See “Modifying the hub.properties File” on page 101.

Creating a Keystore File

➤ To create a keystore file:

1 Generate the .keystore file:

a. Change to this directory:

❍ Windows:

HYPERION_HOME\common\JDK\Sun\1.4.2\bin

❍ UNIX:

HYPERION_HOME/common/JDK/Sun/1.4.2/bin

b. Type:

keytool -genkey -alias tomcat -keyalg RSA

2 Respond to the prompts as appropriate; for first and last name, enter the computer (host) name on which the Shared Services application server is running.

By default, the .keystore file is stored in the Windows user home directory or the UNIX user $HOME directory.

3 Export the .keystore file:


❍ Windows:


❍ UNIX:


b. Type:

❍ Windows:

keytool -export -keystore “WINDOWS_USER_HOME_DIRECTORY\ .keystore” -file server.cert -alias tomcat


❍ UNIX:

keytool -export -keystore “USER_$HOME_DIRECTORY/.keystore” -file server.cert -alias tomcat

4 Import the .keystore file to cacerts:


❍ Windows:


❍ UNIX:


b. Type:

❍ Windows:

keytool -import -keystore “HYPERION_HOME\common\JDK\Sun\ 1.4.2\jre\lib\security\cacerts” -file server.cert -alias tomcat

❍ UNIX:

keytool -import -keystore “HYPERION_HOME/common/JDK/Sun/ 1.4.2/jre/lib/security/cacerts” -file server.cert -alias tomcat

For more details on using keytool, visit this website:

http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html

Configuring the Tomcat server.xml File

➤ To configure the Tomcat server.xml file:

1 Copy the commented SSL <Connector ...> entry from:

● Windows:

HYPERION_HOME\common\appServers\Tomcat\5.0.28\conf\server.xml

● UNIX:

HYPERION_HOME/common/appServers/Tomcat/5.0.28/conf/server.xml

to

● Windows:

HSS_HOME\AppServer\InstalledApps\Tomcat\5.0.28\ SharedServices9\conf\server.xml

● UNIX:

HSS_HOME/AppServer/InstalledApps/Tomcat/5.0.28/ SharedServices9/conf/server.xml

where HSS_HOME is the location where Shared Services is installed, for example:

c:\Hyperion\SharedServices\9.2 on Windows or /home/username/Hyperion/SharedServices/9.2 on UNIX

2 Uncomment the SSL Connector entry you copied into:


HSS_HOME\AppServer\InstalledApps\Tomcat\5.0.28\ SharedServices9\conf\server.xml

The SSL Connector entry in the file you copied from should be left commented.

3 Add the “keystoreFile” attribute in the <Connector ….> tag and set the “keystoreFile” value to the location of the .keystore file you created earlier.

Windows: Example for Tomcat 5.0.28:

<! -- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --><Connector port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="<WINDOWS_USER_HOME_DIRECTORY>/.keystore"/>

UNIX: Example for Tomcat 5.0.28, pointing to the .keystore file located in the root directory :

<! -- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --><Connector port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/.keystore"/>

Modifying the hub.properties File

➤ To modify the hub.properties file to use HTTPS:

1 Open the hub.properties file from this directory:

● Windows:

HSS_HOME\AppServer\InstalledApps\Tomcat\5.0.28

● UNIX:

HSS_HOME/AppServer/InstalledApps/Tomcat/5.0.28

where HSS_HOME is the location where Shared Services is installed, for example:

c:\Hyperion\SharedServices\9.2 on Windows or /home/username/Hyperion/SharedServices/9.2 on UNIX

2 Add the following entry at the end of the file:

sslEnabled=true

Note: Delete this entry when Shared Services HSS is running on HTTP.

Using the Hyperion Remote Authentication Module 103

C h a p t e r

11Using the Hyperion Remote

Authentication Module

This chapter explains the purpose of the Hyperion Remote Authentication Module and provides instructions for setting it up and starting it.

Hyperion Remote Authentication Module is an optional component for external authentication.

In This Chapter About the Hyperion Remote Authentication Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Installing the Remote Authentication Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Configuring and Starting the Remote Authentication Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

104 Using the Hyperion Remote Authentication Module

About the Hyperion Remote Authentication ModuleThe Hyperion Remote Authentication Module, formerly called the NTLM Remote Server, can be installed from the Hyperion Download Center. Installing and running the Hyperion Remote Authentication Module can be useful to the following groups:

● UNIX application users who must log on using a Windows NTLM domain

● Windows users who must log on using multiple Windows NTLM domains when no trust relationships are set up

Note: Earlier releases of Hyperion applications employing Hyperion Remote Authentication Module 7.0 return an incorrect list of users and groups if the domain element is specified in the configuration file. To avoid this situation, use only Hyperion Remote Authentication Module 7.2.x or later with 7.2.x or later of Hyperion Hub or Hyperion Shared Services. For earlier releases of Hyperion Hub, continue to use Remote Authentication Module 7.0.

UNIX Application Support for NTLMIn the following deployment scenario, the Hyperion Remote Authentication Module enables communication between NTLM and a UNIX-based application:

The configuration file resides on the application server, as do the Hyperion application binaries. The NTLM support library file (css-2_6_x.dll) is also required for NTLM connectivity. You must configure for external authentication as described in Chapter 10, “Configuring External Authentication for Shared Services.”

The NTLM Primary Domain Controller can be on a Windows 2000 server. The Hyperion Remote Authentication Module should be on a Windows 2000 server. Combining the Remote Authentication Module with the NTLM Primary Domain Controller is not recommended. The Remote Authentication Module computer needs to be in the same domain as the NTLM Primary Domain Controller.

About the Hyperion Remote Authentication Module 105

Multiple-Domain Support for NT LAN ManagerHyperion Remote Authentication Module enables a Hyperion product to authenticate users belonging to other domains that are not trusted by the domain on which the Hyperion product is installed. This removes the necessity to establish trust relationships among the domains.

In the following deployment scenario, the Hyperion Remote Authentication Module enables users of a Hyperion product to authenticate using one of two domains:

Without the Hyperion Remote Authentication Module, the only way to use multiple domains for a Hyperion product is to establish trust relationships, as shown in the following figure:


Installing the Remote Authentication ModuleOn a Windows 2000 server, install the Hyperion Remote Authentication Module. The installation program, setup.exe, is available on the Oracle® E-Delivery site.

➤ To install the Hyperion Remote Authentication Module:

1 Run setup.exe.

2 Select the language to use.

3 On the Welcome page, click Next.

4 Accept the license agreement and click Next.

5 Choose a destination location for Hyperion Remote Authentication Module and click Next. Hyperion recommends you accept the default location.

6 Provide a value for the HYPERION_HOME environment variable. Hyperion recommends you accept the default location.

7 Enter the host name and port number for the computer hosting the Hyperion Remote Authentication Module. The default port number is 58000.

8 If you are using Secure Sockets Layer with your NTLM deployment, select the option to support SSL.

For SSL configuration, you must provide a value for the <authProtocol></authProtocol> element in the security platform configuration XML file shipped with Shared Services (or alternately, the file shipped with an individual Hyperion product). See “Setting Authorization Type (Optional)” on page 79.

Note: Hyperion Remote Authentication Module does not support SSL connections on AIX.

9 Click Next.

10 Review the summary of your installation choices, and click Next to begin the installation.

11 Click Finish to complete the installation.

Configuring and Starting the Remote Authentication Module

➤ Before using the Hyperion Remote Authentication Module, complete the following additional steps:

1 On the computer hosting the Hyperion products that connect to Hyperion Remote Authentication Module, modify the values in the <location> tags in the <remoteServer> section of the configuration file, to tell the application where to find the Remote Authentication Module.

You must provide a value for the <remoteServer></remoteServer> element in the external authentication configuration XML file shipped with Shared Services (or alternately, with each Hyperion product).

Configuring and Starting the Remote Authentication Module 107

2 Run the remote authentication module by selecting Start > Programs > Hyperion > Foundation Services > Hyperion Remote Authentication Module > Run Authentication Server.

Sample External Authentication Deployment Scenarios 109

C h a p t e r

12Sample External Authentication

Deployment Scenarios

This chapter contains sample external authentication deployment scenarios.

In This Chapter Single LDAP Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Single Microsoft Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

UNIX Application and Single NTLM Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Windows Application and Single NTLM Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

UNIX Application Against LDAP, MSAD, and NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Windows Application Against LDAP, MSAD, and NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Multiple MSAD Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Multiple LDAP Directory Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Multiple NTLM Domains with Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Multiple Untrusted NTLM Domains Connected with Hyperion Remote Authentication Module . . . . . . . . . . . . . . . . . 119

Single Sign-On with SiteMinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Deployment References from LDAP Product Vendors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

110 Sample External Authentication Deployment Scenarios

Single LDAP DirectoryThe following figure illustrates a deployment scenario using LDAP:

The configuration file resides on the Shared Services server. The configuration for external authentication should be done from the Shared Services External Authentication Configuration Console, as described in Chapter 10, “Configuring External Authentication for Shared Services.” The application server can be on UNIX, Windows 2000 server, or Windows 2003 server. The directory server can be on UNIX, Windows 2000 server, or Windows 2003 server.

A secure SSL connection can be used.

The directory server and the application server can be combined into one server. In such a scenario, the application binaries and the directory server binaries reside on one server.

In the single LDAP directory scenario:

● All users must use one prefix, such as cn or uid.

● All groups must use one prefix, such as cn or ou.

● Referrals are not supported.

● Users and groups should exist under nodes, such as ou=People and ou=Groups, for optimal data-retrieval performance.

A sample corporate directory schema follows:

Single Microsoft Active Directory 111

Single Microsoft Active DirectoryThe following figure illustrates a deployment scenario using MSAD:

The configuration file resides on the Shared Services server. The configuration for external authentication should be done from the Shared Services External Authentication Provider Configuration Console, as described in Chapter 10, “Configuring External Authentication for Shared Services.” The application server can be on UNIX, Windows 2000 server, or Windows 2003 server. The directory server must be on a Windows 2000 or 2003 server.


The directory server and the application server can be combined into one server. In this scenario, the application binaries and the directory server binaries reside on one server.

In the single MSAD scenario:

● All users must use one prefix, such as cn or uid.

● All groups must use one prefix, such as cn or ou.

● Referrals are supported, if configuration enables it as described in “Adding Referral Support (Optional, MSAD Only)” on page 94.

● Users and groups should exist under nodes, such as cn=Users, for optimal data-retrieval performance.

A sample corporate directory schema follows:


UNIX Application and Single NTLM DomainThe following figure illustrates a deployment scenario in which a UNIX-based application accesses information from a Windows NTLM domain controller. This implementation depends also on the Hyperion Remote Authentication Module, which must be configured and running on a Windows server. The Remote Authentication Module can be installed from the Hyperion Download Center. The Remote Authentication Module is needed because the external authentication mechanism depends on the NTLM support library file (DLL) for NTLM authentication, and DLLs are not supported on UNIX.

Note: The Hyperion Remote Authentication Module enables communication between NTLM and a UNIX-based application. Install the Remote Authentication Module from the Hyperion Download Center.

The configuration file resides on the Shared Services server. The configuration for external authentication should be done from the Shared Services External Authentication Provider Configuration Console, as described in Chapter 10, “Configuring External Authentication for Shared Services.”

The NTLM support library file (DLL) file is required for the NTLM connectivity.

The application server is assumed to be on UNIX, requiring the Hyperion Remote Authentication Module to enable NTLM authentication.

The NTLM Primary Domain Controller server can be on a Windows 2000 server or a Windows 2003 server. The Hyperion Remote Authentication Module should be on a Windows 2000 server or a Windows 2003 server. Combining the Remote Authentication Module with the NTLM Primary Domain Controller server is not recommended. The Remote Authentication Module computer must be in the same domain as the NTLM Primary Domain Controller server.

Windows Application and Single NTLM Domain 113

The security platform can communicate over a secure medium such as Secure Sockets Layer (SSL) with the Hyperion Remote Authentication Module. If you must use SSL, select the SSL option when installing the Hyperion Remote Authentication Module. For complete installation instructions, see Chapter 11, “Using the Hyperion Remote Authentication Module.”

Windows Application and Single NTLM DomainThe following figure illustrates a deployment scenario in which a Windows-based application accesses information from a Windows NTLM domain controller:



The NTLM Primary Domain Controller server can be on a Windows 2000 server or a Windows 2003 server.


UNIX Application Against LDAP, MSAD, and NTLMThe following figure illustrates a deployment scenario in which a UNIX-based application accesses information from multiple directory stores. The Hyperion Remote Authentication Module is required for access to the Windows NTLM domain. Configuration of the search order is important in this scenario.

Note: The Hyperion Remote Authentication Module enables communication between NTLM and a UNIX-based application. Install the Remote Authentication Module from the Hyperion Download Center. For installation instructions, see Chapter 11, “Using the Hyperion Remote Authentication Module.”

Windows Application Against LDAP, MSAD, and NTLM 115

Windows Application Against LDAP, MSAD, and NTLMThe following figure illustrates a deployment scenario in which a Windows-based application accesses information from multiple directory stores:


The NTLM support library file (DLL) file is required for the NTLM connectivity. The configuration for external authentication should be done as described in the rest of this document. The NTLM Primary Domain Controller can be on a Windows 2000 server or a Windows 2003 server.

For LDAP-compatible directories, a secure SSL connection can be used.

The configuration of the search order property in the XML configuration file determines the order in which each directory store receives requests for information from the application. For example, the first instance of a requested user found while going through the search order is the instance used by the external authentication mechanism to retrieve and return information about the user to the application. Therefore, although three directories can host user information, it is recommended user information not be duplicated across the directories. Duplication can lead to the incorrect user object being authenticated.

For information about configuring the search order, see “Setting the Search Order” on page 86.


Multiple MSAD InstancesThe following figure illustrates a deployment of multiple MSAD instances holding user authentication information:


To enable the application server to enable authentication from the directory servers shown in the preceeding figure, the directory servers must be indicated in the search order. The most frequently used directory should be indicated first in the search order. For information about configuring the search order, see “Setting the Search Order” on page 86.


Multiple LDAP Directory Instances 117

Multiple LDAP Directory InstancesThe following figure illustrates a deployment of multiple LDAP instances holding user authentication information:


To enable the application server to enable authentication from the directory servers shown the preceeding figure, the directory servers must be indicated in the search order. The most frequently used directory should be indicated first in the search order. For information about configuring the search order, see “Setting the Search Order” on page 86.



Multiple NTLM Domains with Trust RelationshipsWhen there are multiple Windows NTLM domains which hold user authentication information, one solution is to establish trust relationships among the domains, as shown in the following figure:


The NTLM support library file (DLL) file is required for the NTLM connectivity. The configuration for external authentication should be done as described in the rest of this document. The NTLM Primary Domain Controllers can be on Windows 2000 or Windows 2003 servers.

Multiple Untrusted NTLM Domains Connected with Hyperion Remote Authentication Module 119

Multiple Untrusted NTLM Domains Connected with Hyperion Remote Authentication Module

When there are multiple Windows NTLM domains holding user authentication information, an additional solution is to link the domains using the Hyperion Remote Authentication Module (compare to the scenario described in “Multiple NTLM Domains with Trust Relationships” on page 118). This scenario eliminates the necessity of establishing trust relationships among the domains, as shown in the following figure:

The Hyperion Remote Authentication Module gives users of Hyperion applications on Windows the ability to log on using multiple domains, without the need for the administrator to create trust relationships among the domains. In the preceeding figure, Windows users can log on using domain D2 in addition to the more commonly used domain D1, because the Hyperion Remote Authentication Module is running, giving access to domain D2. Note that D1 does not trust D2.

The configuration file resides on the Shared Services server. The configuration for external authentication should be done from the Shared Services External Authentication Provider Configuration Console as described in Chapter 10, “Configuring External Authentication for Shared Services.”


The NTLM Primary Domain Controllers can be on Windows 2000 or Windows 2003 servers.

The security platform can communicate over a secure medium such as Secure Sockets Layer (SSL) with the Hyperion Remote Authentication Module. If you must use SSL, select the SSL option when installing the Hyperion Remote Authentication Module. For complete installation instructions, see Chapter 11, “Using the Hyperion Remote Authentication Module.”


Single Sign-On with SiteMinderSiteMinder is a Web access management solutions provider sometimes employed by companies to manage and enforce authentication, authorization, and single sign-on for company Web resources. The Hyperion security platform enables single sign-on for a user into a Web-based Hyperion application without challenging the user for credentials, as long as SiteMinder authenticates the user. Integration with SiteMinder requires configuration of the <securityAgent></securityAgent> element in the XML configuration file.

Note: If your corporation uses a security agent to protect company Web resources, the corporate authentication repository (for example, LDAP, MSAD, or NTLM) must be trusted, because the Hyperion security platform does not store a password in the token when a security agent is used.

The following figure illustrates a scenario enabling single sign-on with SiteMinder and a Hyperion application:

The Hyperion application trusts the authentication and authorization information sent by SiteMinder with regards to the protected resources on the directory server. Therefore, the Hyperion security platform supports Tier 1 integration with SiteMinder.

The Web agent is installed on a Web server that intercepts requests for the Hyperion application’s Web resources, such as JSP, ASP, or HTML files on the application server. If these Web resources are protected, the Web agent issues a challenge for unauthenticated users. When the user is authenticated, the policy server adds to the HTTP headers another header, named HYPLOGIN, whose value is the login name of the authenticated user. Thereafter, the HTTP

Deployment References from LDAP Product Vendors 121

request is passed on to the Web resources of the Hyperion application, and the login name is extracted from the headers. For more details on configuring the header HYPLOGIN and populating it, see “Configuring SiteMinder Single Sign-On” on page 96.

Deployment References from LDAP Product VendorsSun ONE Directory Server 5.2 Deployment Guide:

http://docs.sun.com/app/docs/doc/816-6700-10

iPlanet Directory Deployment Guide for v5.1:

http://192.18.99.138/816-5609-10/816-5609-10.pdf

iPlanet Directory Deployment Guide for v4.16:

http://192.18.99.138/816-6679-10/816-6679-10.pdf

Active Directory Deployment Guide:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/default.mspx

Manual Deployment to WebSphere Application Server 123

A P P E N D I X

AManual Deployment to

WebSphere Application Server

In This Chapter Location References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Basic Deployment Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Detailed Deployment Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Modifying Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

124 Manual Deployment to WebSphere Application Server

Location ReferencesThe procedures in this section use the following location references to refer to the directories on your system:

● <WAS_HOME> is the installation directory of the WebSphere server; for example, C:\IBM \WebSphere\AppServer (Windows) or /opt/websphere (UNIX).

● <HSS_HOME> is the directory in which you installed Shared Services.

● <HYPERION_HOME> is the directory you specified during the Hyperion product installation.

Note: Unless noted specifically in this chapter, forward slashes in directory paths apply to both Windows and UNIX.

Prerequisites Complete these tasks before beginning:

● Install WebSphere application server and ensure it is running (see the WebSphere documentation).

● In WebSphere, create a profile and a server.

● Install Shared Services to the same computer as the application server (see Chapter 4, “Installing and Upgrading Shared Services”).

Note: Shared Services cannot be installed to directories with names containing spaces; for example, the Program Files directory.

● After installation, run Hyperion Configuration Utility to configure Shared Services. Select the database configuration and application server deployment tasks. Provide the database information, and then select the manual deployment option on the Application Server selection panel. Selecting the manual deployment option copies the necessary files to:

<HSS_HOME>/AppServer/InstalledApps/WebSphere/5.1 (for WebSphere 5.1)

<HSS_HOME>/AppServer/InstalledApps/other (for WebSphere 6.1)

Basic Deployment InstructionsThis section provides high-level instructions for manually deploying to WebSphere 5.1.1.7 or WebSphere 6.1 application servers. See “Location References” on page 124 for the list of location references used in this section to refer to the directories on your system.

For detailed manual deployment instructions, see “Detailed Deployment Instructions” on page 127.

Define Environment Variables Create the following application server environment variables:

Basic Deployment Instructions 125

● HYPERION_HOME: Set the value to the <HYPERION_HOME> directory you specified during the Hyperion product installation.

● HSS_HOME: Set the value to the <HSS_HOME> directory you specified during the Shared Services installation.

Create the Shared Library Create the Hyperion Shared Services shared library at the server level and add these libraries to the Hyperion Shared Services library.

WebSphere 5.1.1.7● Windows:

${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1

${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\HubProductBean.jar

${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\commons-collections-3.1.jar

${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\commons-dbcp.jar

${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\commons-pool.jar

${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\hyjdbc.jar

${HYPERION_HOME}\common\XML\JDOM\0.8.0\jdom.jar

${HYPERION_HOME}\common\JDBC\DataDirect\3.6\lib

${HYPERION_HOME}\common\SAP\lib

On Windows, add the following path to the Native Library Path field:

<HYPERION_HOME>\common\CSS\9.2.1.0\bin

● UNIX:

${HSS_HOME}/AppServer/InstalledApps/WebSphere/5.1

${HSS_HOME}/AppServer/InstalledApps/WebSphere/HubProductBean.jar

${HSS_HOME}/AppServer/InstalledApps/WebSphere/commons-collections-3.1.jar

${HSS_HOME}/AppServer/InstalledApps/WebSphere/commons-dbcp.jar

${HSS_HOME}/AppServer/InstalledApps/WebSphere/commons-pool.jar

${HSS_HOME}/AppServer/InstalledApps/WebSphere/hyjdbc.jar

${HYPERION_HOME}/common/XML/JDOM/0.8.0/jdom.jar

${HYPERION_HOME}/common/JDBC/DataDirect/3.6/lib

${HYPERION_HOME}/common/SAP/lib

WebSphere 6.1● Windows:

${HSS_HOME}\AppServer\InstalledApps\other


${HSS_HOME}\AppServer\InstallableApps\other\HubProductBean.jar

${HYPERION_HOME}\common\JDBC\DataDirect\3.6\lib\hyjdbc.jar

${HSS_HOME}\AppServer\InstalledApps\other\commons-collections-3.1.jar

${HSS_HOME}\AppServer\InstalledApps\other\commons-dbcp.jar

${HSS_HOME}\AppServer\InstalledApps\other\commons-pool.jar




On Windows, add the following path to the Native Library Path field:


● UNIX:

${HSS_HOME}/AppServer/InstalledApps/other

${HSS_HOME}/AppServer/InstallableApps/other/HubProductBean.jar

${HYPERION_HOME}/common/JDBC/DataDirect/3.6/lib/hyjdbc.jar

${HSS_HOME}/AppServer/InstalledApps/other/commons-collections-3.1.jar

${HSS_HOME}/AppServer/InstalledApps/other/commons-dbcp.jar

${HSS_HOME}/AppServer/InstalledApps/other/commons-pool.jar




● On Windows, add the following path to the Native Library Path field:


Add a Transport Chain Use the WebSphere administrative console to create a new transport chain. You must specify the following information:

● A port name (for example, HSS)

● The host name (you can enter *) or IP address for that port

● The port number under which Shared Services is going to run

Deploy the WAR File Deploy the Shared Services WAR file, interop.war. The interop.war file is in the following location (Windows and UNIX):

<HSS_HOME>/AppServer/InstalledApps/other/interop.war (for WebSphere 6.1)

<HSS_HOME>/AppServer/InstalledApps/WebSphere/5.1/interop.war (for WebSphere 5.1)

Detailed Deployment Instructions 127

Override Session Management Check Override Session Management to override the server setting.

Change the HTTP Cookie Name Ensure HTTP cookies are enabled and change the cookie name to HUBSESSIONID.

Increase JVM Memory If sharing large models, you must increase the amount of memory WebSphere allocates for the JVM. For instructions, see “Increasing the Memory Allocation for JVM” on page 133.

Modify Configuration FilesFor instructions, see “Modifying Configuration Files” on page 137.

Note: For WebSphere 5.1.1.7, you also need to replace a jdom.jar file. See “Detailed Deployment Instructions” on page 127.

Detailed Deployment Instructions

WebSphere 5.1.1.7This section provides detailed instructions for manually deploying to WebSphere 5.1.1.7 application server. See “Location References” on page 124 for the list of location references used in this section to refer to the directories on your system.

Before you begin deploying, review the “Prerequisites” on page 124.

➤ To manually deploy Shared Services to WebSphere application server:

1 Start the WebSphere server.

2 Log on as the administrator to the WebSphere Administration Console using this URL:

http://servername:portno/ibm/console

For servername and portno, enter the server and port on which WebSphere is running. The default location is http://localhost:9090/ibm/console.

3 Create the HYPERION_HOME and HSS_HOME WebSphere environment variables:

a. In the left frame, select Environment > Manage WebSphere Variables.

b. Select the server scope, click New, and create the following variables:

❍ HYPERION_HOME: Set the value to the <HYPERION_HOME> directory you specified during installation.


❍ HSS_HOME: Set the value to the <HSS_HOME> directory you specified during installation.

4 Create a new shared library called Hyperion Shared Services Libraries:

a. In the left frame, select Environment > Shared Libraries.

b. Select the server scope and click New.

c. Name the shared library Hyperion Shared Services Libraries, and add the following libraries to the shared library:

❍ Libraries (Windows):

${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1

${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\HubProductBean.jar

${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\commons-collections-3.1.jar

${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\commons-dbcp.jar

${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\commons-pool.jar

${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\hyjdbc.jar




❍ Libraries (UNIX):

${HSS_HOME}/AppServer/InstalledApps/WebSphere/5.1

${HSS_HOME}/AppServer/InstalledApps/WebSphere/HubProductBean.jar

${HSS_HOME}/AppServer/InstalledApps/WebSphere/commons-collections-3.1.jar

${HSS_HOME}/AppServer/InstalledApps/WebSphere/commons-dbcp.jar

${HSS_HOME}/AppServer/InstalledApps/WebSphere/commons-pool.jar

${HSS_HOME}/AppServer/InstalledApps/WebSphere/hyjdbc.jar




❍ On Windows, add the following path to the Native Library Path field:


d. Click OK.

5 Create or update virtual hosts:

a. In the left frame, select Environment > Virtual Hosts.

b. Select default host and click New.

By default, Shared Services is configured to run on port 58080.

c. Create or update a Virtual Host by defining a Host Alias for port 58080.

For details, please refer to the WebSphere documentation.


6 Deploy the .WAR file:

a. In the left frame, select Applications > Enterprise Applications.

b. Click Install.

c. Navigate to this location (Windows and UNIX):

<HSS_HOME>/AppServer/InstalledApps/WebSphere/5.1/interop.war

d. Set the context root to interop, click Next.

Caution! Once you set the context root to interop, do not modify.

e. Click Next and then accept the defaults on the following screens until the Install New Application screen.

f. Select the virtual host of your choice and select Hyperion System 9 Shared Services, click Next, then click Finish.

g. For Map modules to application servers, select Hyperion System 9 Shared Services, click Next, then click Finish.

h. After the confirmation message about a successful deployment is displayed, click Save to Master Configuration.

7 Add a transport chain:

a. In the left frame, select Servers > Application servers > <server_name>.

b. Under Additional Properties, click Web Container.

c. Click HTTP transports and click New.

d. Specify a port name (for example, HSS), the host name (you can enter *) or IP address for that port, and the port number under which Shared Services is going to run.

e. Click OK.

8 Update Java Virtual Machine custom properties:

a. In the left frame, select Servers > Application Servers > <servername>.

b. Scroll down and click Process Definition.

c. Scroll down and click Java Virtual Machine.

d. Scroll down to Additional Properties and then click Custom Properties.

e. Click New.

f. Update the name to "hyperion.home" and the value to <HYPERION_HOME>.

g. Click OK.

9 Reference the Shared Library:


b. Select interop.war.

c. Under General Properties, change the Classloader Mode setting to PARENT_LAST.


d. Set a reasonable value for Reload Interval and then click OK.

e. Under Additional Properties, select Libraries.

f. Click Add and then select Hyperion Shared Services Libraries, and then click OK.

10 Override session management:

a. In the left frame, select Applications > Enterprise Applications and in the right frame, click interop.war.

b. In Additional Properties, click Session Management.

c. Check Overwrite to overwrite the server setting.

d. Select Enable Cookies, change the cookie name to HUBSESSIONID, and click Apply.

11 Select the Save command in the top menu bar to save the entire configuration.

12 Replace the jdom.jar file:

a. Locate the jdom.jar file in <WAS_HOME>/lib and rename it to jdom.jar_ori.

b. Copy the jdom-b9.jar from:

<HSS_HOME>/AppServer/InstalledApps/WebSphere/5.1/

to

<WAS_HOME>/lib

13 Modify configuration files. For instructions, see “Modifying Configuration Files” on page 137.

14 Stop the WebSphere server application.

WebSphere is now configured to run Shared Services.

15 Start the WebSphere server application.

16 Log on User Management Console using this URL:

http://ServerName:ServerPort/interop; for example, http://localhost:58080/interop.

WebSphere 6.1This section provides detailed instructions for manually deploying to WebSphere 6.1 application server. See “Location References” on page 124 for the list of location references used in this section to refer to the directories on your system.


➤ To manually deploy Shared Services to WebSphere application server:



http://servername:portno/ibm/console

For servername and portno, enter the server and port on which WebSphere is running. The default location is http://localhost:9060/ibm/console.

3 Create the HYPERION_HOME and HSS_HOME WebSphere environment variables:


a. In the left frame, select Environments > WebSphere Variables.

b. Select the server scope, click New, and create the following variables:

❍ HYPERION_HOME: Set the value to the <HYPERION_HOME> directory you specified during installation.

❍ HSS_HOME: Set the value to the <HSS_HOME> directory you specified during installation.

4 Create a new shared library called Hyperion Shared Services Libraries:

a. In the left frame, select Environment > Shared Libraries.

b. Select the server scope and click New.

c. Name the shared library Hyperion Shared Services Libraries, and add the following libraries to the shared library:

❍ Libraries (Windows):

${HSS_HOME}\AppServer\InstalledApps\other

${HSS_HOME}\AppServer\InstallableApps\other\HubProductBean.jar

${HYPERION_HOME}\common\JDBC\DataDirect\3.6\lib\hyjdbc.jar

${HSS_HOME}\AppServer\InstalledApps\other\commons-collections-3.1.jar

${HSS_HOME}\AppServer\InstalledApps\other\commons-dbcp.jar

${HSS_HOME}\AppServer\InstalledApps\other\commons-pool.jar




❍ Libraries (UNIX):

${HSS_HOME}/AppServer/InstalledApps/other

${HSS_HOME}/AppServer/InstallableApps/other/HubProductBean.jar

${HYPERION_HOME}/common/JDBC/DataDirect/3.6/lib/hyjdbc.jar

${HSS_HOME}/AppServer/InstalledApps/other/commons-collections-3.1.jar

${HSS_HOME}/AppServer/InstalledApps/other/commons-dbcp.jar

${HSS_HOME}/AppServer/InstalledApps/other/commons-pool.jar




❍ On Windows, add the following path to the Native Library Path field:


d. Click OK.

5 Create or update virtual hosts:

a. In the left frame, select Environment > Virtual Hosts.

By default, Shared Services is configured to run on port 58080.

b. Create or update a Virtual Host by defining a Host Alias for port 58080.


For details, please refer to the WebSphere documentation.

6 Deploy the .WAR file:


b. Click Install.

c. Navigate to this location (Windows and UNIX):

<HSS_HOME>/AppServer/InstalledApps/other/interop.war (for WebSphere 6.1)

<HSS_HOME>/AppServer/InstalledApps/WebSphere/5.1/interop.war (for WebSphere 5.1)

d. Set the context root to interop, click Next.

Caution! Once you set the context root to interop, do not modify.

e. Click Next to accept the defaults.

f. Select the virtual host of your choice and select Hyperion Shared Services, click Next, then click Finish.

g. After the Application Server is Successfully Deployed confirmation message is displayed, click Save to Master Configuration.

7 Add a transport chain:

a. In the left frame, select Servers > Application servers > <server_name>.

b. Under Web container settings, click Web container transport chains.

c. Click New. The Create New Transport Chain wizard initializes. Specify the following information:

❍ A name for the new chain (for example, HSS).

❍ A transport chain template (for security).

❍ A port name (for example, HSS), the host name (you can enter *) or IP address for that port, and the port number under which Shared Services is going to run.

d. Click Finish.

8 Update JVM custom properties:

a. In the left frame, select Servers > Application Servers > <servername>.

b. Select Java and Process Management > Process Definition > Java Virtual Machine > Custom Properties.

c. Define a custom property with key "hyperion.home" and value <HYPERION_HOME>.

9 Reference the Shared Library:


b. Select interop.war.

c. Under Detail Properties, select Class loading and update detection.


d. For Class Loader Order, select Class loaded with Application Class loader first.

e. Set a reasonable value for Polling interval and then click OK.

f. Under References, select Shared Library References.

g. Select the Hyperion System 9 Shared Services Module and click Reference Shared Libraries.

h. Select the Hyperion Shared Services Libraries Shared Library. Then click OK.

10 Override session management:

a. In the left frame, select Enterprise Applications and in the right frame, click interop.war.

b. In Web Module Properties, click Session Management.

c. Check Override Session Management to override the server setting.

d. Select Enable Cookies, change the cookie name to HUBSESSIONID, and click Apply.

11 Select the Save command in the top menu bar to save the entire configuration.

12 Modify configuration files. For instructions, see “Modifying Configuration Files” on page 137.

13 Stop the WebSphere server application.

WebSphere is now configured to run Shared Services.

14 Start the WebSphere server application.

15 Log on User Management Console using this URL:

http://ServerName:ServerPort/interop; for example, http://localhost:58080/interop.

Increasing the Memory Allocation for JVM If you share large models, you must increase the amount of memory WebSphere allocates for JVM.

➤ To increase the WebSphere memory allocation for JVM:

1 Log on as the administrator to the WebSphere Administration Console by opening a browser and setting the address to http://servername:portno/admin where servername and portno are the server and port (specified during installation) on which the WebSphere server is running.

The default location is http://localhost:58080/admin.

2 In the left frame, select Servers > Application Servers; in the right frame, select SharedServices9 (or if you installed manually, select the server to which you installed Shared Services).

3 Select Additional Properties Process Definition.

4 Select Additional Properties Java Virtual Machine.

5 Set Initial Heap Size to 128. (Size is in megabytes.)

6 Set Maximum Heap Size to as much memory as you can allocate for the computer.

Hyperion recommends a setting of 1024. (Size is in megabytes.)


7 Click OK.

8 Click OK.

9 Select the Save menu command.

10 Restart the Shared Services server.

Troubleshooting the WebSphere Application Server ConfigurationIf you are unable to start Shared Services, follow the procedure in this section to troubleshoot the WebSphere server configuration.

➤ To troubleshoot the WebSphere server configuration:


In most cases this is the WebSphere default server: server1. Type the following text at the command prompt: startServer server1 (Windows) or ./startServer.sh server1 (UNIX)


http://servername:portno/admin

For servername and portno, enter the server and port on which WebSphere is running. The default location is http://localhost:9060/admin.

3 In the left frame, open the Servers folder, click Application Servers, and verify there is a server named SharedServices9.

4 In the left frame, open the Environment folder, click Manage Websphere Variables, and ensure the context is set to Cell=DefaultNode, Node=DefaultNode.

5 Ensure the HYPERION_HOME environment variable is set and that it points to the correct directory. If it does not exist, create it.

6 In the left frame, open the Environment folder, click Virtual Hosts, and verify there is a virtual host named hyperionVirtualHost:

● If there is no virtual host named hyperionVirtualHost, follow these steps:

i. Click New.

ii. Enter the name hyperionVirtualHost and click OK.

iii. Select the hyperionVirtualHost link.

iv. In Additional Properties, select the Host Aliases link. Click Add.

v. Enter a Host Name of *.

vi. Enter the port number to use for Shared Services.

Note: Each application port number must be unique. If you modify a default port number, change it to a port number not currently used.


vii. Click OK to create the Host Alias.

viii. Click OK to save the changes to hyperionVirtualHost.

ix. Select Save to save the change.

● If there is a virtual host named hyperionVirtualHost:

i. Select the hyperionVirtualHost link.

ii. In Additional Properties, select the Host Aliases link.

iii. Select the link * and verify the port number is the one specified during Shared Services installation. This port number must not be used by other Web applications on your server. Take one of these actions:

❑ If the port number is used by another application, correct the port number and click OK to save the change.

❑ If the port number is correct, click Cancel to return to the previous screen.

iv. Click OK to save the changes to hyperionVirtualHost.

v. If you changed the port number, select Save Menu to save the change.

7 In the left frame, open the Environment folder, click Shared Libraries, and verify the scope is set as follows:

Cell=DefaultNode, Node=DefaultNode, Server=SharedServices9

If the scope is not set correctly:

a. Expand the scope section.

b. Correct the information and click Apply to save the change.

8 Verify there is a shared library at the server level called Hyperion Shared Services Libraries:

● If the shared library does not exist, follow the procedure in the configuration section for creating this shared library.

● If the shared library exists, click the Hyperion Shared Services Libraries link and verify there is a carriage return after each class path. Click OK.

● If the shared library exists but was accidentally created at the node level, rename the server level library set and link it to the interop.war file (see step 10).

9 In the left frame, open the Applications folder, click Enterprise Application, and verify there is an application called adminconsole_SharedServices9.

If the application does not exist, you cannot use Hyperion Configuration Utility when the SharedServices9 server is running. You can do what you are doing now, which is to start the server1 server, make your changes, shut down server1 and start the SharedServices9 service.

10 In the left frame, open the Applications folder, click Enterprise Application, and verify there is an application called interop.war:

● If the interop.war application does not exist, create one:

i. Click Install and navigate to the file: <HSS_HOME>/AppServer/InstallableApps/ common/WebSphere/<version>/interop.war.

ii. Set the context root to interop and click Next.


Caution! Once the context root is set to interop, do not modify.

iii. Click Next to accept the defaults on the Bindings page.

iv. Click Continue on the Application Security Warning page.

v. Click Next to accept the defaults.

vi. Select hyperionVirtualHost and select Hyperion Shared Services. Click Next.

vii. Select Hyperion Shared Services.

viii. Select the Server WebSphere: cell=DefaultNode, node=DefaultNode, and server=SharedServices9. Click Apply to move it to the Hyperion Shared Services Server.

ix. Click Next. Click Finish.

x. Select Save to Master Configuration and click Save.

xi. In the left frame, open the Applications folder and click Enterprise Application.

● If the interop.war application exists or if you just installed the interop.war application:

i. Select the interop.war link.

ii. Select the Additional Properties Libraries link.

iii. If the Hyperion Shared Services Libraries link is not displayed, click Add, select Hyperion Shared Services Libraries, and click OK.

iv. Select Additional Properties Session Management.

v. Select Enable Cookies and ensure the cookie name is set to HUBSESSIONID. Click OK to return to the previous screen.

vi. Ensure Override is selected. Click OK to return to the previous page.

vii. Click OK to save your changes.

viii. Select the Save menu command to save your changes to the Master Configuration, and click Save again to save the changes.

ix. In the HubProductBean.jar file, remove the classes related to the jce1_2_2.jar file.

These are classes that are part of the package structure 'javax/crypto/' from HubProductBean.jar.

11 Log off the Administration page and stop the application server.

12 Start the SharedServices9 Application Server by typing the following text at the command prompt: startServer server1 (Windows) or ./startServer.sh server1 (UNIX).

13 In a Web browser, try to start the following Web page:

http://localhost:58080/interop/framework/login

Note: Use the port number you specified during Shared Services installation.

Modifying Configuration Files 137

If this page is not displayed, review the following log file: <WAS_HOME>/WebSphere/AppServers/logs/server1/SystemOut.log

You can ignore most of the errors generated because you have yet to set up HUB. However, if the log file says it cannot find the Default.xml file, HUB cannot start and you must check whether it is because of one of these reasons:

● The Hyperion Shared Services Libraries definition is incorrect and each class is not on its own line.

● The libraries are not defined for interop.war.

● The <HYPERION_HOME> environment variable is incorrect.

If after following these additional steps you still cannot start Shared Services, contact Hyperion Technical Support.

Modifying Configuration Files This section details the files to modify. The values listed for driver classes, adapter classes, and URLs should be used to replace the values provided in the section “Files To Modify” on page 138.

Driver Classes ● SQL Server: hyperion.jdbc.sqlserver.SQLServerDriver

● Oracle: hyperion.jdbc.oracle.OracleDriver

● DB2: hyperion.jdbc.db2.DB2Driver

Adapter Classes ● SQL Server: org.apache.slide.store.impl.rdbms.SQLServerRDBMSAdapter

● Oracle: org.apache.slide.store.impl.rdbms.OracleRDBMSAdapter

● DB2: org.apache.slide.store.impl.rdbms.DB2RDBMSAdapter

URLs ● For SQL Server:

jdbc:hyperion:sqlserver://hostname:1433;DatabaseName=databasename

For example,

jdbc:hyperion:sqlserver://user.hdc.net:1433;DatabaseName=hyperion

● For Oracle:

jdbc:hyperion:oracle://hostname:1521;SID=SIDName

For example,

jdbc:hyperion:oracle://hyperion2003:1521;SID=ora92

● For DB2:


jdbc:hyperion:db2://hostname:50000;DatabaseName=databasename; MaxPooledStatements=40;DynamicSections=3000

For example:

jdbc:hyperion:db2://user.hdc.net:50000;DatabaseName=HYPERION; MaxPooledStatements=40;DynamicSections=3000

Files To Modify The following files require modification using the values provided in the previous section and in the following topics:

● Domain.xml

● slide.properties

● CSS.xml

● scheduler.properties

● WorkflowEngine.properties

These files are located in:

<HSS_HOME>/AppServer/InstalledApps/WebSphere/5.1 (for WebSphere 5.1)

<HSS_HOME>/AppServer/InstalledApps/other (for WebSphere 6.1)

Domain.xml Change the following values to the values for your relational database:

<parameter name="driver">JDBC_DRIVER</parameter>

<parameter name="adapter">JDBC_ADAPTER</parameter>

<parameter name="url">JDBC_URL</parameter>

<parameter name="user">DB_USERNAME</parameter>

<parameter name="password">DB_PASSWORD</parameter>

For instance if you are using DB2:

<parameter name="driver">hyperion.jdbc.db2.DB2Driver</parameter>

<parameter name="adapter">org.apache.slide.store.impl.rdbms. DB2RDBMSAdapter</parameter>

<parameter name="url">jdbc:hyperion:db2://user.hdc.net:50000; DatabaseName=HYPERION;MaxPooledStatements=40;DynamicSections=3000 </ parameter>

<parameter name="user">db2admin</parameter>

<parameter name="password">MqEM/uFmOZucduv9jcWaAg==</parameter>

Change the value for css_config to a valid path for the CSS.xml file.

slide.properties Change the value for org.apache.slide.domain to a valid path for the Domain.xml file.

For example, if you are deploying to WebSphere 6, change the following value for org.apache.slide.domain:


org.apache.slide.domain=F:/cc/cms/server/AppServer/InstalledApps/ Tomcat/Base/Domain.xml

to this value:

org.apache.slide.domain=C:/Hyperion/SharedServices/9.2/AppServer/ InstalledApps/other/Domain.xml

CSS.xml Ensure the hostname is used instead of localhost. The hostname is the name of the computer running OpenLDAP, not the computer running the Web server (if you have a Web server). Also ensure the correct port is being used for the OpenLDAP database.

For example, change the following values:

<hub location="http://localhost:58080">


</hub>

to these values:

<hub location="http://hostname:58080">


</hub>

scheduler.propertiesIn the Configure Datasource section, update the following values for the database you are using. The following values apply if DB2 is used:

org.quartz.dataSource.myDS.driver = hyperion.jdbc.db2.DB2Driver

org.quartz.dataSource.myDS.URL = jdbc:hyperion:db2://raghavr.hdc.net:50000;DatabaseName=JOYCE; MaxPooledStatements=40;DynamicSections=1000

org.quartz.dataSource.myDS.user = db2admin <database user name>

org.quartz.dataSource.myDS.password = MqEM/uFmOZucduv9jcWaAg== <database password>

Values for Driver Class are listed in “Driver Classes” on page 137. Values for URLs are listed in “URLs” on page 137.

WorkflowEngine.propertiesUpdate the following values for the database you are using. The following values apply if DB2 is used:

workflowEngine.jdbc.product=db2

workflowEngine.jdbc.driver=hyperion.jdbc.db2.DB2Driver

workflowEngine.jdbc.url=jdbc:hyperion:db2://raghavr.hdc.net:50000; DatabaseName=JOYCE;MaxPooledStatements=40;DynamicSections=1000

workflowEngine.jdbc.user=db2admin <database user name>


workflowEngine.jdbc.password=MqEM/uFmOZucduv9jcWaAg== <database password>

Values for driver class are listed in “Driver Classes” on page 137. Values for URLs are listed in “URLs” on page 137.

For the following field:

workflowEngine.jdbc.product=

use these values for the database you are using:

● MySQL - mysql

● SQLServer - sqlserver

● Oracle - oracle

● DB2 - db2

Manual Deployment to WebLogic Application Server 141

A P P E N D I X

BManual Deployment to

WebLogic Application Server

In This Appendix Location References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142



Modifying Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

142 Manual Deployment to WebLogic Application Server


● <BEA_HOME> is the installation directory of the BEA WebLogic server; for example, C: \bea (Windows) or /opt/bea (UNIX).

● <HSS_HOME> is the directory in which you installed Shared Services.

● <HYPERION_HOME> is the directory you specified during the Hyperion product installation.

● <HSS_WL_HOME> is the location where Hyperion Configuration Utility puts the files needed to manually deploy Shared Services:

<HSS_HOME>/AppServer/InstalledApps/WebLogic/8.1 (for WebLogic 8.1)

<HSS_HOME>/AppServer/InstalledApps/other (for WebLogic 9.2)


Prerequisites Complete these tasks before beginning:

● Install WebLogic application server and ensure it is running (see the application server documentation).

● Install the NodeManager service by running the installNodeMgrSvc.cmd script located in the <BEA_HOME>/server/bin directory and start the service after installation.


Note: Shared Services cannot be installed to directories with names containing spaces; for example, the Program Files directory.

● After installation, run Hyperion Configuration Utility to configure Shared Services. Select the database configuration and application server deployment tasks. Provide the database information, and then select the manual deployment option on the Application Server selection panel. Selecting the manual deployment option copies the necessary files to:

<HSS_WL_HOME>

See “Location References” on page 142.

Basic Deployment InstructionsThis section provides high-level instructions for manually deploying to WebLogic application server. You can manually configure BEA WebLogic versions 8.1.4 and 9.2. See “Location References” on page 142 for the list of location references used in this section to refer to the directories on your system.


For detailed manual deployment instructions, see “Detailed Deployment Instructions” on page 144.

Create a New WebLogic Domain Create a new WebLogic domain or use an existing domain. Please refer to the BEA WebLogic documentation for instructions to create domains. Shared Services does not have any special requirements for creating domains.

Unpackage the WAR File and Copy Files

Note: See “Location References” on page 142 for the list of location references used in this section to refer to the directories on your system.

1 Create the following directory for unpackaging files:

<HSS_WL_HOME>/SharedServices9Domain/interop

2 Extract the contents of the interop.war file located in:

<HSS_HOME>/AppServer/InstallableApps/common

to:


3 For WebLogic 8.1:

a. Copy the following files from <HSS_WL_HOME> to <HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF/lib

❍ commons-logging.jar

❍ commons-dbcp.jar

❍ commons-pool.jar

b. Copy web.xml.weblogic.81 from <HSS_WL_HOME> to <HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF and rename the file to web.xml.

c. Copy the jsp_servlet folder from <HSS_WL_HOME>/precompiledJSPs/jsp_servlet to <HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF/classes.

4 For WebLogic 9.2:

a. Copy the following files from <HSS_WL_HOME> to <HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF/lib

❍ commons-pool.jar

❍ commons-dbcp.jar

b. Copy commons-logging.jar from <HSS_HOME>/AppServer/InstallableApps/WebLogic/8.1 to <HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF/lib.


c. Rename the web.xml.weblogic.92 file in the <HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF directory to web.xml.

d. Copy mimemappings.properties from <HSS_WL_HOME> to the config folder in the WebLogic domain location.

Deploy the Web Application Modules to the SharedServices Server Install the interop deployment as an application to the SharedServices server.

The interop.war file is located in the <HSS_WL_HOME>/SharedServices9Domain/interop directory. See “Location References” on page 142.

Modify Configuration FilesFor instructions, see “Modifying Configuration Files” on page 147.

Update the ClasspathAdd the classpath settings as specified in step 8 on page 146.

Copy/Modify Additional FilesSee the “Detailed Deployment Instructions” on page 144 for additional steps.

Detailed Deployment Instructions This section provides detailed instructions for deploying to WebLogic application server. You can manually configure BEA WebLogic versions 8.1.4 and 9.2. See “Location References” on page 142 for the list of location references used in this section to refer to the directories on your system.


➤ To configure the WebLogic server for Shared Services:

1 Launch the BEA WebLogic Configuration Wizard.

2 Create a new WebLogic domain, or use an existing domain.

Please refer to the BEA WebLogic documentation for instructions to create domains. Shared Services does not have any special requirements for creating domains.

3 Start WebLogic by running startWebLogic.cmd on Windows or startWebLogic.sh on UNIX, located in the WebLogic domain location.


4 Log on to WebLogic Administration Console:

a. Open a browser and set the address to http://localhost:portno/console where portno is the port (specified during installation) on which the WebLogic server is running.

b. Use the username and password you specified earlier in this procedure.

5 Create a new server:

a. On the left-hand side of the screen, select Servers and then the option to configure a new server. Enter the server name as SharedServices and the server listen port as 58080 and save the changes.

Note: For WebLogic 9.2, select the option to create a stand-alone server.

b. On the left-hand side of the screen, select Machines and then the option to configure a new machine. Enter the name of the machine where WebLogic is installed and save the changes.

Note: The NodeManager service must be running on the computer where WebLogic is installed.

c. Select Servers and click SharedServices. Select the machine name that was created in the previous step and save the changes.

6 Unpackage and copy files (Windows and UNIX):

Note: See “Location References” on page 142 for the list of location references used in this section to refer to the directories on your system.

a. Create the following directory for unpackaging files:


b. Extract the contents of the interop.war file located in:


to:


c. For WebLogic 8.1:

i. Copy the following files from <HSS_WL_HOME> to <HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF/lib

❑ commons-logging.jar

❑ commons-dbcp.jar

❑ commons-pool.jar

ii. Copy web.xml.weblogic.81 from <HSS_WL_HOME> to <HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF and rename the file to web.xml.


iii. Copy the jsp_servlet folder from <HSS_WL_HOME>/precompiledJSPs/jsp_servlet to <HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF/classes.

d. For WebLogic 9.2:

i. Copy the following files from <HSS_WL_HOME> to <HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF/lib

❑ commons-pool.jar

❑ commons-dbcp.jar

ii. Copy commons-logging.jar from <HSS_HOME>/AppServer/InstallableApps/WebLogic/8.1 to <HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF/lib.

iii. Rename the web.xml.weblogic.92 file in the <HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF directory to web.xml.

iv. Copy mimemappings.properties from <HSS_WL_HOME> to the config folder in the WebLogic domain location.

7 Deploy the new Web application modules to the SharedServices server:

a. From the WebLogic Administration Console, start the SharedServices server.

b. From the WebLogic Administration Console, select Deployment > Web application Modules and deploy/install a new web application module.

c. Select the path to the interop folder (Windows and UNIX):


d. In the subsequent installation screens, select the following options:

❍ For 9.2 only: Install this deployment as an application.

❍ The target server is SharedServices.

❍ For 9.2 only: Retain the deployment name as interop.

❍ Select the option to make the deployment accessible from a specific location, and specify the full path to the interop folder.

e. Finish and activate the changes.

8 Update the classpath:

For the SharedServices server, in Advanced options, prepend the following paths to the server classpath, separated by semi-colons (Windows and UNIX):

❍ <HSS_WL_HOME>/

❍ <HSS_WL_HOME>/HubProductBean.jar

❍ <HYPERION_HOME>/common/JDBC/DataDirect/3.6/lib/hyjdbc.jar

where <HSS_WL_HOME> is:

<HSS_HOME>/AppServer/InstalledApps/WebLogic/8.1 (for WebLogic 8.1)

<HSS_HOME>/AppServer/InstalledApps/other (for WebLogic 9.2)

9 Save your changes.


10 Modify configuration files. See “Modifying Configuration Files” on page 147.

11 Copy the following files to the specified location (Windows and UNIX):

a. Copy the HubProductBean.jar file from:

<HSS_WL_HOME>/

to:

<HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF/lib

b. Copy the CSS.xml file from:

<HSS_WL_HOME>/

to:

<HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF/classes

c. Copy ALL *.properties files from:

<HSS_WL_HOME>/

to:

<HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF/classes

d. Copy the hyjdbc.jar file from:

<HYPERION_HOME>/common/JDBC/DataDirect/3.6/lib

to:

<HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF/lib

12 Add the following tag to the <DOMAIN_LOCATION>/<DOMAIN_NAME>/config/config.xml file in the Security-Configuration section:

<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>

13 Start the SharedServices server.

14 For WebLogic 9.2 only: Select Deployments and then the interop web application and click Start -> servicing all requests. Once the status of the application changes to "active", the application is available.

15 Launch http://localhost:58080/interop.

Modifying Configuration Files This section details the files to modify. The values listed for driver classes, adapter classes, and URLs should be used to replace the values provided in the section “Files To Modify” on page 148.

Driver Classes ● SQL Server: hyperion.jdbc.sqlserver.SQLServerDriver




Adapter Classes ● SQL Server: org.apache.slide.store.impl.rdbms.SQLServerRDBMSAdapter



URLs ● For SQL Server:


For example,

jdbc:hyperion:sqlserver://user.hdc.net:1433;DatabaseName=hyperion

● For Oracle:


For example,


● For DB2:


For example:

jdbc:hyperion:db2://user.hdc.net:50000;DatabaseName=HYPERION; MaxPooledStatements=40;DynamicSections=3000

Files To Modify The following files require modification using the values provided in the previous section and in the following topics:

● Domain.xml

● slide.properties

● CSS.xml

● scheduler.properties


These files are located in the <HSS_WL_HOME> directory. See “Location References” on page 142.

Domain.xml Change the following values to the values for your relational database:










<parameter name="url">jdbc:hyperion:db2://user.hdc.net:50000; DatabaseName=HYPERION;MaxPooledStatements=40;DynamicSections=3000 </ parameter>




For example, if you are deploying to WebLogic, change the following value for css_config:

<parameter name="css_config">file:///F:/cc/cms/server/deployments/ Tomcat/Base/CSS.xml</parameter>

to this value:

● For WebLogic 8.1.x, <parameter name="css_config">file:///C:/Hyperion /SharedServices/9.2/AppServer/InstalledApps/WebLogic/8.1/CSS.xml </ parameter> (Windows) or <parameter name="css_config">file:///$HOME/ SharedServices/9.2/AppServer/InstalledApps/WebLogic/8.1/CSS.xml </ parameter> (UNIX)

● For WebLogic 9.2, <parameter name="css_config">file:///C:/Hyperion /SharedServices/9.2/AppServer/InstalledApps/other/CSS.xml</

parameter> (Windows) or <parameter name="css_config">file:///$HOME/ SharedServices/9.2/AppServer/InstalledApps/other/CSS.xml </parameter> (UNIX)

slide.properties Change the value for org.apache.slide.domain to a valid path for the Domain.xml file.

For example, if you are deploying to WebLogic, change the following value for org.apache.slide.domain:

org.apache.slide.domain=F:/cc/cms/server/AppServer/InstalledApps/ Tomcat/Base/Domain.xml

to this value:

● For WebLogic 8.1.x, org.apache.slide.domain= C:/Hyperion/SharedServices /9.2/AppServer/InstalledApps/WebLogic/8.1/Domain.xml (Windows) or org.apache.slide.domain= $HOME/SharedServices/9.2/AppServer/

InstalledApps/WebLogic/8.1/Domain.xml (UNIX)

● For WebLogic 9.2, org.apache.slide.domain= C:/Hyperion/SharedServices /9.2/AppServer/InstalledApps/other/Domain.xml (Windows) or org.apache.slide.domain= $HOME/SharedServices/9.2/AppServer/

InstalledApps/other/Domain.xml (UNIX)


CSS.xml Ensure the hostname is used instead of localhost. The hostname is the name of the computer running OpenLDAP, not the computer running the Web server (if you have a Web server). Also ensure the correct port is being used for the OpenLDAP database.




</hub>

to these values:



</hub>

scheduler.propertiesIn the Configure Datasource section, update the following values for the database you are using. The following values apply if DB2 is used:

















● MySQL - mysql


● Oracle - oracle

● DB2 - db2

Manual Deployment to Oracle 10g Application Server 153

A P P E N D I X

CManual Deployment to Oracle

10g Application Server

This appendix provides information about manually deploying Shared Services to Oracle 10.1.3.1.0 application server.

In This Chapter Location References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154



Modifying Files After Manual Application Server Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

154 Manual Deployment to Oracle 10g Application Server


● <HSS_HOME> identifies the directory in which you installed Shared Services.

● <HYPERION_HOME> identifies the directory for Hyperion products.

● <ORACLE_HOME> identifies the installation location of Oracle 10g application server. For detailed manual deployment instructions, see “Detailed Deployment Instructions” on page 156.


PrerequisitesComplete these tasks before beginning:

● Install Oracle application server and ensure it is running (see the application server documentation).


Shared Services cannot be installed to directories with names containing spaces; for example, C:\Program Files (Windows) or $HOME/Program Files (UNIX).

● After installation, run Hyperion Configuration Utility to configure Shared Services. Configure the database, and then on the application server selection panel, select Tomcat as the application server for deployment and select the manual deployment option. (There is no option for Oracle application server.) Then follow the steps in this chapter to complete the manual deployment. The files copied by Hyperion Configuration Utility for Tomcat are not needed for the Oracle deployment.

Basic Deployment InstructionsThis section provides high-level instructions for manually deploying to Oracle 10.1.3.1.0 application server. See “Location References” on page 154 for the list of location references used in this section to refer to the directories on your system.

Modify Configuration FilesSee “Modifying Files After Manual Application Server Configuration” on page 158.

Deploy the Web ApplicationDeploy the Shared Services WAR file, interop.war. The interop.war file is located in the <HSS_HOME>/AppServer/InstallableApps/common directory.


Set the ClasspathsAdd these libraries to the list of Library Paths:

Windows:

<HSS_HOME>\AppServer\InstallableApps\other;

<HSS_HOME>\AppServer\InstallableApps\common;

<HSS_HOME>\AppServer\InstallableApps\other\commons-collections-3.1.jar;

<HSS_HOME>\AppServer\InstallableApps\other\commons-dbcp.jar;

<HSS_HOME>\AppServer\InstallableApps\other\commons-pool.jar;

<HSS_HOME>\AppServer\InstallableApps\other\HubProductBean.jar;

<HYPERION_HOME>\common\JDBC\DataDirect\3.6\lib\hyjdbc.jar;

<HYPERION_HOME>\common\loggers\Log4j\1.2.8\lib\log4j-1.2.8.jar;

<HYPERION_HOME>\common\SAP\lib;

UNIX:

<HSS_HOME>/AppServer/InstallableApps/other;

<HSS_HOME>/AppServer/InstallableApps/common;

<HSS_HOME>/AppServer/other/commons-collections-3.1.jar;

<HSS_HOME>/AppServer/InstallableApps/other/commons-dbcp.jar;

<HSS_HOME>/AppServer/InstallableApps/other/commons-pool.jar;

<HSS_HOME>/AppServer/InstallableApps/other/HubProductBean.jar;

<HYPERION_HOME>/common/JDBC/DataDirect/3.6/lib/hyjdbc.jar;

<HYPERION_HOME>/common/loggers/Log4j/1.2.8/lib/log4j-1.2.8.jar;

<HYPERION_HOME>/common/SAP/lib;

Add the following files to the path:

Windows:

<HYPERION_HOME>\common\SAP\bin;

<HYPERION_HOME>\common\CSS\9.2.1.0\bin;

UNIX:

<HYPERION_HOME>/common/SAP/bin;

<HYPERION_HOME>/common/CSS/9.2.1.0/bin;

Ensure that you keep the bsf.jar and rhino.jar files in the classpath. The jar files are available in the following location:

<ORACLE_HOME>/j2ee/home/applications/<ApplicationName>/interop/WEBINF/lib

Change the Oracle HTTP Server Listen PortsYou must change the Oracle HTTP server listen port for Shared Services. Instructions for changing the Oracle HTTP server listen port are documented at the following location:


http://download-west.oracle.com/docs/cd/B14099_19/core.1012/b13995/ports.htm#CIHJEEJH

Detailed Deployment InstructionsThis section provides detailed instructions for manually deploying to Oracle 10.1.3.1.0 application server. See “Location References” on page 154 for the list of location references used in this section to refer to the directories on your system.

Before you begin deploying, review “Prerequisites” on page 154.

➤ To configure Oracle application server 10.1.3.1.0 for Shared Services:

1 Modify configuration files. See “Modifying Files After Manual Application Server Configuration” on page 158.

2 Start Oracle application server by opening a Web browser, setting the URL to http://localhost:8888 or http://<servername>:<portname>, and specifying the username and password you created during installation of Oracle.

3 Log on to the Oracle 10G Application Server Console.

4 Deploy the Web application:

a. Under Groups, click the OC4J instance; for example, Home, where you want to deploy .

b. Click Applications and then click Deploy.

c. On the Select Archive page, click Browse and select

<HSS_HOME>\AppServer\InstallableApps\common\interop.war (Windows)

or

<HSS_HOME>/AppServer/InstallableApps/common/interop.war (UNIX)

d. Click Next.

e. On the Application Attribute page, specify an application name; for example, SharedServices9 and change Context Root to /interop.

Caution! Once the context root is set to /interop, do not modify.

f. Click Next.

g. Set the classpaths and path:

i. On the Deployment Settings page under Deployment Tasks, click the Go to Task link next to the Configure Class Loading task.

ii. Under Configure Web Module Class Loaders, enter the following values (separated by semicolons) for Classpath Value:

<HSS_HOME>\AppServer\InstallableApps\other;

<HSS_HOME>\AppServer\InstallableApps\common;


<HSS_HOME>\AppServer\InstallableApps\other\commons-collections-3.1.jar;

<HSS_HOME>\AppServer\InstallableApps\other\commons-dbcp.jar;

<HSS_HOME>\AppServer\InstallableApps\other\commons-pool.jar;

<HSS_HOME>\AppServer\InstallableApps\other\HubProductBean.jar;

<HYPERION_HOME>\common\JDBC\DataDirect\3.6\lib\hyjdbc.jar;

<HYPERION_HOME>\common\loggers\Log4j\1.2.8\lib\log4j-1.2.8.jar;

<HYPERION_HOME>\common\SAP\lib;

UNIX:

<HSS_HOME>/AppServer/InstallableApps/other;

<HSS_HOME>/AppServer/InstallableApps/common;

<HSS_HOME>/AppServer/other/commons-collections-3.1.jar;

<HSS_HOME>/AppServer/InstallableApps/other/commons-dbcp.jar;

<HSS_HOME>/AppServer/InstallableApps/other/commons-pool.jar;

<HSS_HOME>/AppServer/InstallableApps/other/HubProductBean.jar;

<HYPERION_HOME>/common/JDBC/DataDirect/3.6/lib/hyjdbc.jar;

<HYPERION_HOME>/common/loggers/Log4j/1.2.8/lib/log4j-1.2.8.jar;

<HYPERION_HOME>/common/SAP/lib;

Note: Separate each value with a semicolon.

iii. Add the following files to the path:

Windows:

<HYPERION_HOME>\common\SAP\bin;

<HYPERION_HOME>\common\CSS\9.2.1.0\bin;

UNIX:

<HYPERION_HOME>/common/SAP/bin;

<HYPERION_HOME>/common/CSS/9.2.1.0/bin;

Ensure that you keep the bsf.jar and rhino.jar files in the classpath. The jar files are available in the following location:

<ORACLE_HOME>/j2ee/home/applications/<ApplicationName>/interop/ WEBINF/lib

iv. Click OK.

h. On the Deployment Settings page, click Deploy.

The Processing: Deploy page displays progress messages for the application being deployed.

i. Click Return after you see the following confirmation message: Application "SharedServices9" successfully deployed.


5 Change the Oracle HTTP server listen port for Shared Services. Instructions for changing the Oracle HTTP server listen port are documented at the following location:

http://download-west.oracle.com/docs/cd/B14099_19/core.1012/ b13995/ports.htm#CIHJEEJH

Modifying Files After Manual Application Server ConfigurationThe section details the files that must be modified after a manual application server configuration. The values listed for driver classes, adapter classes, and URLs should be used to replace the values provided in the section “Files To Modify” on page 159.

Driver Classes● MySQL: org.gjt.mm.mysql.Driver

● SQL Server: hyperion.jdbc.sqlserver.SQLServerDriver



Adapter Classes● MySQL: org.apache.slide.store.impl.rdbms.MySqlRDBMSAdapter

● SQL Server: org.apache.slide.store.impl.rdbms.SQLServerRDBMSAdapter



URLs● For MySQL:

jdbc:mysql://hostname:3306/hub?useUnicode=true&characterEncoding=UTF-8

For example,

jdbc:mysql://raghavr.hdc.net:3306/hub?useUnicode=true& characterEncoding=UTF-8

● For SQL Server:


For example,

jdbc:hyperion:sqlserver://udayk.hdc.net:1433;DatabaseName=raghav

● For Oracle:


For example,


Modifying Files After Manual Application Server Configuration 159

● For DB2:


For example:

jdbc:hyperion:db2://raghavr.hdc.net:50000;DatabaseName=JOYCE; MaxPooledStatements=40;DynamicSections=1000

Files To ModifyThe following files require modification using the values provided in the previous section and in the following topics:

● Domain.xml

● Slide.properties

● CSS.xml


● Scheduler.properties

These file are located in:


Domain.xmlChange the following values to the values for your relational database:









<parameter name="url">jdbc:hyperion:db2://raghavr.hdc.net:50000; DatabaseName=JOYCE;MaxPooledStatements=40;DynamicSections=1000 </parameter>




For example, change the following value:

<parameter name="css_config">file:///F:/cc/cms/server/deployments/ Tomcat/Base/CSS.xml</parameter>

to the following value:


<parameter name="css_config">file:///<HSS_HOME>/AppServer/InstallableApps/ common/CSS.xml</parameter>

Slide.propertiesChange the following value:

org.apache.slide.domain=F:/cc/cms/server/deployments/Tomcat/Base/ Domain.xml

to the following value:

org.apache.slide.domain=<HSS_HOME>/AppServer/InstallableApps/common/Domain.xml

CSS.xmlEnsure the hostname is used instead of localhost, and ensure the correct port is being used for the OpenLDAP database.




</hub>

to the following values:



</hub>

Scheduler.propertiesIn the Configure Datasource section, update the following values for the database you are using. The following values apply if DB2 is used:







Modifying Files After Manual Application Server Configuration 161










● MySQL - mysql


● Oracle - oracle

● DB2 - db2

Setting Up Shared Services Using Clustering 163

A P P E N D I X

DSetting Up Shared Services Using

Clustering

The procedures in this appendix help you to set up Shared Services in a cluster if you are using a hardware load balancer, which supports session persistence, or if you are setting up a cluster using a software load balancer (Proxy Plug-in). This appendix also provides information about replicating the OpenLDAP environment.

In This Appendix About Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

About Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Using a Hardware Load Balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Using a Software Load Balancer (Proxy Plug-In) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Replicating the OpenLDAP Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

164 Setting Up Shared Services Using Clustering

About ClusteringAn application server cluster is a set of application servers running one application. The application server processes can run on one computer or on multiple computers. From a client view, a cluster appears to be one server instance. Clustered application servers behave similarly to single servers, except they provide load balancing and failover. All server instances in a cluster must reside in the same cell (defined in the following table) of an application server domain.

Note: Session failure is not supported with application server clusters.

Clustering provides these benefits:

● Client processing requests are balanced, enabling incoming work requests to be distributed according to a configured WLM selection policy

● Failover capability provided by redirecting client requests to a running server when one or more servers are unavailable

This improves the availability of applications and administrative services.

● Systems can be scaled to serve a higher client load than provided by the basic configuration

With clusters and cluster members, additional instances of servers can easily be added to the configuration.

● Servers can be transparently maintained and upgraded while applications remain available for users

● Centralized administration of application servers and other objects

The following table defines key clustering terminology.

Table 1 Clustering Terminology

Term Definition

Managed server An application server process running in its own Java Virtual Machine (JVM)

Node A logical group of servers located on one physical computer

Multiple nodes can exist on one computer, but for this document, assume only one node exists for each physical computer.

Node agent An administrative process that manages the servers running on a node

A node agent resides on one node.

Cell A logical group of nodes belonging to one administrative domain

A cell is a configuration concept, a way for administrators to logically associate nodes with one another. Administrators define the nodes that make up a cell according to whatever criteria make sense in their organizational environments.

About Load Balancing 165

Server clusters come in two main varieties: vertical and horizontal. These are sometimes referred to as vertical scalability and horizontal scalability.

Vertical clustering refers to the practice of defining multiple clones of an application server on one physical computer. In some cases one application server, which is implemented by one JVM process, cannot fully utilize the CPU power of a large computer and drive CPU load up to 100%. Vertical clusters provide a straightforward mechanism to create multiple JVM processes that can fully utilize the processing power available as well as providing process level failover.

Horizontal clustering refers to the more traditional practice of defining clones of an application server on multiple physical computers, thereby enabling one application to span several computers while presenting one system image. Horizontal cloning can provide increased throughput and failover.

Note: Never run clustering on multiple computers unless their clocks are synchronized using some form of time-synchronization service (daemon) running very regularly (the clocks must be within a second of each other). Never start a non-clustered instance against the same set of tables that another instance is running against. It causes serious data corruption and erratic behavior.

About Load BalancingYou can set up Shared Services in a cluster if you are using a hardware load balancer, which supports session persistence, or if you are setting up a cluster using a software load balancer (Proxy Plug-in).

Cell manager Also called network deployment manager, it manages the multiple nodes in a distributed topology

Technically, an application server running an instance of the administration console can manage the application servers configured in one cell. It does this by interacting with the node agent running on each physical computer in the cell.

Load balancing The distribution of tasks across the application servers of a cluster

Table 1 Clustering Terminology (Continued)


The following figure depicts a sample cluster deployment of Shared Services:

Using a Hardware Load Balancer

➤ To set up a cluster using a hardware load balancer:

1 Install and configure Shared Services on each node (host) as instructed in Chapter 4, “Installing and Upgrading Shared Services” and Chapter 5, “Configuring and Setting Up Shared Services.”

These instructions are not specific to clustering, but they explain how to install Shared Services.

2 When configuring the second, third, and fourth (and so on) nodes, perform these configurations:

● Choose to reuse the data while configuring the relational storage for Shared Services.

● Modify the CSS.xml file to update the following element:

<hub location="http://HOSTNAME:PORT">

<dirPort>LDAP_PORT</dirPort>

</hub>

The value for hub location is the primary (first node) Shared Services host name and port number. The value for dirPort is the port number of the OpenLDAP database on the primary Shared Services computer.

● In the Domain.xml file, set the global cache to off. To do so, set the value of slidecache from on to off.

● To use the OpenLDAP servers on these nodes as failovers, follow the procedure in “Replicating the OpenLDAP Environment” on page 183.

3 Add the host name (IP address) of each of the nodes into the load balancer host list.

Using a Software Load Balancer (Proxy Plug-In) 167

Using a Software Load Balancer (Proxy Plug-In)The procedures in this section describe how to set up Shared Services in a cluster for these application servers:

● “WebSphere Clustering” on page 167

● “WebLogic Clustering” on page 175

WebSphere ClusteringThis section includes these procedures for WebSphere clustering:

● “Creating the Deployment Manager Cell” on page 167

● “Setting Up the Shared Services Clustering Environment” on page 168

● “Installing Shared Services To A Cluster” on page 170

● “Adding Support for Additional Ports to the Default Host” on page 171

● “Setting the Class Path” on page 171

● “Deploying One Application on Multiple Servers” on page 173

● “Selecting Server Settings” on page 173

● “HTTP Web Plug-in Settings” on page 174

Note: The procedures in this section use horizontal clustering on two physical computers.

Creating the Deployment Manager Cell

➤ To create the Deployment Manager cell on WebSphere:

1 On machine1, start the WebSphere Network Deployment Manager process:

a. Open a command prompt.

b. Navigate to the WEBSPHERE\DeploymentManager\bin directory (where WEBSPHERE is the installation directory of the WebSphere server).

c. Run startManager.bat.

2 Add two WebSphere nodes to the cell for the Deployment Manager:

a. On machine1, navigate to the WEBSPHERE\AppServer\bin directory.

b. Type the following command:

addNode.bat <machineName>

For example: addNode.bat machine1

where <machineName> is the name of the computer on which the Deployment Manager is running.

Note: You cannot run the addNode command on two nodes simultaneously.


When the command is completed, the following confirmation message is displayed:

Node <machineName> has been successfully federated.

c. On machine2, run the same command as follows:

WEBSPHERE\AppServer\bin>addNode.bat <machine1Name>

For example: WEBSPHERE\AppServer\bin>addNode.bat machine1

When you complete this procedure, you have a deployment manager, a node agent running on machine1, and a node agent running on machine2.

To verify the installation to this point, review the following logs:

WEBSPHERE\AppServer\logs\nodeagent\SystemOut.log (on all computers)

WEBSPHERE\DeploymentManager\logs\dmgr\SystemOut.log (on machine1)

Setting Up the Shared Services Clustering Environment

➤ To set up a cluster for Shared Services on WebSphere:

1 Install Shared Services as described in Chapter 4, “Installing and Upgrading Shared Services.” Use one of the following deployment options:

● Option 1: Install Shared Services on two computers with identical directory structures.

Some jar files and configuration files are required before the server startup and runtime. For example:

c:\websphere on machine1

c:\websphere on machine2

With this option, there are two sets of configuration files available on two computers (Domain.xml, CSS.xml, WorkflowEngine.properties, and Scheduler.properties). If the configuration settings are changed on one computer, copy those files to the other computer manually. To overcome this problem, use option 2.

● Option 2: Install Shared Services on one computer (for example, c:\websphere on machine1) and share the folder to machine2 with all permissions.

Now map this folder on two computers (machine1 and machine2) designating J: for c:\websphere and i: for HYPERION_HOME.

With this option, there is only one set of configuration files shared by the computers, so whenever the configuration settings are changed, they are automatically available for the computers.

Proceed to the next step and complete the procedure.

2 In the Domain.xml file, set the global cache to off. To do so, set the value of slidecache from on to off.

3 Create a cluster for Shared Services using WebSphere:

a. Start WebSphere Network Deployment Manager using the startManager.bat command; for example, WEBSPHERE\DeploymentManager\bin\startManager.bat.


b. Start node agents on both computers using the startNode.bat command; for example, WEBSPHERE\AppServer\bin>addNode.bat.

c. Open the Network Deployment Administrative Console.

d. In the left frame, select Servers > Clusters.

e. In the right frame, click New.

f. Under Step 1: Enter Cluster Name:

i. In Cluster Name, type a name for the cluster; for example, HubCluster.

ii. Deselect Prefer local enabled.

iii. Select Create Replication Domain for this cluster.

iv. Click Next.

g. Under Step 2: Create New Clustered Servers:

i. In Name, type a name for the cluster member; for example, HubClone1.

ii. In Select Node, select the node where the clustered member is created; for example, machine1.

iii. In Weight, type 2.

iv. Select the following options:

❑ Generate Unique HTTP Ports

❑ Create Replication Entry in this Server

❑ Default application server template

v. Click Apply.

h. On this page (Step 2: Create New Clustered Servers):

i. In Name, type a name for the cluster member on the second computer; for example, HubClone2.







v. Click Apply.

i. On this page (Step 2: Create New Clustered Servers):

i. In Name, type a name for the cluster member on the second computer; for example, HubClone3.








v. Click Apply.

WebSphere displays a list of cloned servers at the bottom of the page.

j. Click Next.

k. Under Step 3: Summary, review the list of cloned servers and attributes:

❍ If the summary is correct, click Finish and save. The cluster (HubCluster) is listed in the Server Cluster list.

❍ If the summary is incorrect, click Previous and make corrections.

Installing Shared Services To A ClusterUse this procedure to install Shared Services to a WebSphere cluster.

➤ To install Shared Services to the newly created WebSphere server cluster (HubCluster):

1 In the left frame, select Applications > Install New Application.

2 In the right frame, select the Local path option and click Browse.

3 Navigate to the WebSphere interop.war file and select it.

4 In Context Root, type interop.

5 Click Next.

6 Under Preparing for the application installation, accept the defaults and click Next.

7 Under Step 1: Provide options to perform the installation, accept the defaults and click Next.

8 Under Step 2: Map virtual hosts for web modules, in Virtual Host, select default_host and click Next.

9 Under Step 3: Map modules to application servers, perform the following actions:

a. Select Module.

b. Select the cluster (HubCluster) and click Apply.

c. Click Next.

d. Under Step 4: Summary, click Finish.

During cluster setup, three clones are created with unique HTTP ports, meaning the HTTP listeners for the internal servers running in each application server have values. The algorithm used by the administration process to create ports uses a default value (9080 for HTTP transport) and increments up to the next free value for each server defined.

So in this case, when the Application Server was installed, a standalone server called server1 was created. When the node was added to the deployment manager, server1 was also migrated to become a manager server. Server1 uses port 9080 for its HTTP transport. On


machine1, HubClone1 was created using port 9081. On machine2, Hubclone2 uses port 9081 and HubClone3 uses port 9082. When installing the interop.war file, the default_host virtual host was used for the Web modules. By default, the default_host accepts HTTP requests only on port 9080, so you must configure this virtual host to also accept requests for ports 9081 and 9082.

Adding Support for Additional Ports to the Default Host

➤ To add support for additional ports to the default host:

1 In the WebSphere Administrative Console, select Environment > Virtual Hosts.

2 In the right frame, click default_host.

3 On the default_host page under Additional Properties, click Host Aliases.

4 On the Host Aliases page, click New and perform the following actions:

a. In the Host Name text field, type * (* represents all host names).

b. In the Port text field, type 9081.

c. Click OK.

5 Repeat step 4 for ports 9082 and 58080.

6 Select the Synchronize changes with Nodes option and click Save to save the configuration.

Setting the Class PathThe class path settings you set depend on which deployment option you chose in step 1 on page 168. To review:

● Option 1: Install Shared Services on two computers with identical directory structures.

● Option 2: Install Shared Services on one computer (for example, c:\websphere on machine1) and share the folder to machine2 with all permissions.

➤ To set the classpath if you chose deployment option 1 (install Shared Services on two computers with identical directory structures):

1 In the left frame, open the Environment folder, and click the Manage WebSphere Variables link.

2 Click New and create the following variables:

● HYPERION_HOME: Set the value to the HYPERION_HOME directory you specified during installation. The default is c:\hyperion.

● HSS_HOME: Set the value to the <HSS_HOME> directory you specified during installation. c:\hyperion\SharedServices\9.2.

3 In the left frame, open the Environment folder and click the Shared Libraries link.


4 Click New, name the shared library Hub libs, and add the following libraries to the shared library:

Classpath:

%HSS_HOME%\AppServer\InstallableApps\other\Hub_9_0_0ProductBean.jar%HSS_HOME%\AppServer\InstallableApps\common%HSS_HOME%\AppServer\InstallableApps\common\hyddtek.jar%HSS_HOME%\server\conf%HSS_HOME%\AppServer\InstallableApps\WebSphere\5.1%HSS_HOME%\AppServer\InstallableApps\WebSphere\5.1\commons-dbcp.jar%HSS_HOME%\AppServer\InstallableApps\WebSphere\5.1\commons-collections-3.1.jar%HSS_HOME%\AppServer\InstallableApps\WebSphere\5.1\commons-pool.jar

If you are using a MySQL database, add the following library:

%HYPERION_HOME%\common\JDBC\MySQL\4.0.12\mysql-connector-java-3.0.7-stable-bin.jar

Native Library Path:

%HYPERION_HOME%/common/CSS/3.0.0/bin

5 Click Apply.

6 Click OK.

➤ To set the classpath if you chose deployment option 2 (install Shared Services on one computer and share the folder to a second computer with all permissions):

1 In the left frame, open the Environment folder and click the Manage WebSphere Variables link.

2 Click New and create the following variables:

● HYPERION_HOME: Set the value to the HYPERION_HOME directory you specified during installation; for example, i:\.

● HSS_HOME: Set the value to the HSS_HOME directory you specified during installation; for example, j:\hyperion\SharedServices\9.2.

3 In the left frame, open the Environment folder, and click the Shared Libraries link.

4 Set the class path scope to the cell level. To specify cell scope, clear Node and Server and click Apply.

5 Click New, name the shared library Hub libs, and add the following libraries to the shared library:

Classpath:

${HSS_HOME}/Hub9_0_0ProductBean.jar

${HSS_HOME}/other/hyddtek.jar

${HSS_HOME}/other

${HSS_HOME}/server/conf

Native Library Path:

${HYPERION_HOME}/common/CSS/2.7.0/bin

6 Click Apply.

7 Click OK.


Deploying One Application on Multiple ServersYou deploy one application on multiple servers after you set the classpath.

➤ To deploy one application on multiple servers:

1 In the left frame, open the Applications folder and click the Enterprise Applications link.

2 Under Enterprise Applications, click the interop.war hyperlink.

3 In the Configuration tab under Additional Properties, click the Libraries hyperlink.

4 Under Library Ref, click Add.

5 From Library Name, select Hub libs. Click Apply.

6 Click OK.

7 In the left frame, click the Enterprise Applications link, and in the right frame, click interop.war.

8 Under Additional Properties, click Session Management.

9 Next to Overwrite Session Management, select Overwrite to overwrite the server setting.

10 Next to Session Tracking Mechanism, ensure Enable Cookies is selected.

11 Click Enable Cookies and change the cookie name to HUBSESSIONID.

12 Click Apply. Click OK.

13 Scroll down to Additional Properties and select Distributed Environment Settings.

14 Next to Distributed Sessions, select Memory to Memory Replication. Click Apply.

15 Click Memory to Memory Replication and in the Runtime mode, select Both client and server.


17 Scroll down to Additional Properties and select Custom Tuning Parameters.

18 Next to Tuning level, select Low (optimize for failover).


Selecting Server Settings

➤ To select the server settings:

1 In the left frame, select Servers > Application Servers.

2 In the right frame, click HubClone1.

3 In the Configuration tab, scroll down to Additional Properties and click Web Container.

4 In the Web Container Configuration tab, scroll down to Additional Properties and click Session Management.

5 Next to Session tracking mechanism, select Enable Cookies. Click Apply.

6 Click Enable Cookies and change the cookie name to HUBSESSIONID.



8 In the Session Management Configuration tab, scroll down to Additional Properties and click Distributed Environment Settings.

9 Next to Distributed Sessions, select Memory to Memory Replication. Click Apply.

10 Click Memory to Memory Replication.

11 In Runtime mode, select Both client and server.


13 Scroll down to Additional Properties and click Custom Tuning Parameters.

14 Next to Tuning level, select Low (optimize for failover).


16 In the left frame, select Servers > Application Servers and in the right frame, click HubClone1.

17 In the Configuration tab, scroll down to Additional Properties and click Web Container.

18 Under Addition Properties, click HTTP transports.

19 Click the 9081 port Host * to set the custom properties.

20 Scroll down to Additional Properties and click Custom Properties.

21 Under Custom Properties, click New and add the following custom properties:

ConnectionIOTimeout = 30

ConnectionKeepAliveTimeout = 30

22 Repeat the steps for selecting server settings for all servers (hubClone2, hubClone3) in the cluster.

23 Save the configuration, ensuring Synchronize changes with Nodes is selected.

HTTP Web Plug-in Settings

➤ To update the Web server plug-in settings:

1 In the left frame, select Environment > Update Web Server Plugin.

Performing this step automatically updates the plugin-cfg.xml file in $DeploymentManager_Home\config\cells folder.

2 Open the $DeploymentManager_Home\config\cells\plugin-cfg.xml file.

3 Change the value for AcceptAllContent from "false" to "true".

For example:

<Config ASDisableNagle="false" AcceptAllContent="true" IISDisableNagle="false" IgnoreDNSFailures="false" RefreshInterval="60" ResponseChunkSize="64">

4 Save the plugin-cfg.xml file changes.

5 You can manually copy the plugin-cfg.xml file to the WebSphere installation directory or you can update the location of the plug-in file in the httpd.conf file. Select one of the following options:


● Copy the plugin-cfg.xml from the \DeploymentManager\config\cells folder to <WAS_HOME>\config\cells\plugin-cfg.xml.

● Open the $IBMHttpServer_HOME\conf\httpd.conf file. The last line of this file contains a location for the plugin-cfg.xml file. Change the location of the plugin-cfg.xml file to <WAS_HOME>\config\cells\plugin-cfg.xml and save the httpd.conf file changes.

WebLogic ClusteringThis section includes the following procedures for WebLogic clustering:

● “Creating Server Clusters” on page 175

● “Setting Node Manager Properties” on page 177

● “Setting Up WebLogic Deployment Descriptors” on page 179

● “Removing the IP Address from Config.xml” on page 180

● “Setting the Path” on page 180

● “Starting the Managed Servers from the WebLogic Server Console” on page 182

● “Deploying the Web Application Module” on page 182

● “Serving WebLogic WebDav Methods In a Cluster Mode” on page 183

Creating Server Clusters

➤ To create the domain server instances and clusters:

1 Start the WebLogic Configuration Wizard by selecting Start > Programs > BEA WebLogic Platform 8.1 > Configuration Wizard.

2 On the first screen, select Create a new WebLogic configuration and click Next.

3 Under Select a Configuration Template, select the Basic WebLogic Server Domain template and click Next.

4 Under Choose Express or Custom Configuration, select Custom and click Next.

5 Under Configure the Administration Server:

a. In Name, type InteropAdminServer.

b. From Listen Address, select All Local Addresses.

c. In Listen Port, type 7001.

d. Click Next.

6 Under Managed Servers, Clusters, and Machines Options, select Yes and click Next.

7 Under Configure Managed Servers, click Add and take the following actions:

a. In Name, type FirstServer.

b. In Listen Address, select All Local Addresses.


c. In Listen Port, type 8001.

d. Repeat steps 7a, 7b, and 7c to add three additional servers with the following entries:

e. Click Next.

8 Under Configure Clusters, click Add and type the following text. Click Next:

● In Name, type InteropCluster.

● In Multicast address, type 237.0.0.101.

● In Multicast port, type 8050.

9 Under Assign Servers to Clusters:

a. Select all three servers in the Source list.

b. Click the arrow to place the servers in the Target list.

c. Click Next.

10 Under Create HTTP Proxy Applications, select Create HTTP proxy for cluster InteropCluster and select HttpProxyServer. Click Next.

11 Under Configure Machines, create the computer names with unique port numbers to which you are mapping your managed server in the next step. Click Next.

For example:

12 Under Assign Servers to Machines, map the managed server to the respective machines. Click Next.

13 Under Database (JDBC) Options, select No and click Next.

14 Under Messaging (JMS) Options, select No and click Next.

15 Under Application and Services Targeting Options, select No and click Next.

16 Under Configure Administrative Username and Password:

a. In Name, type weblogic.

b. In Password and Confirm user password, type weblogic.

c. Select No and click Next.

Name Listen Address Listen Port

SecondServer All Local Addresses 8002

OtherMachineServer All Local Addresses 8003

HTTpProxyServer All Local Addresses 8004

Name Node manager listen address Node manager listen port

Machine1 All Local Addresses 5555

Machine2 All Local Addresses 4321


17 Under Configure Windows Options:

a. In Create Start Menu, select No.

b. In Install Administrative Server as a Windows Service, select No and click Next.

18 Under Configure Server Start Mode and Java SDK:

a. In WebLogic Configuration Startup Mode, select Production Mode.

b. In Java SDK Selection, select BEA Supplied SDKs and select JRockit SDK.

c. Click Next.

19 Under Create WebLogic Configuration, do the following:

a. In Configuration Name, type InteropSetup.

b. Click Create.

The Configuration Wizard creates the domain in <bea_HOME>\user_projects\domains\InteropSetup.

c. Click Done to exit the BEA WebLogic Configuration Wizard.

Setting Node Manager Properties

➤ To set the node manager properties:

1 Run the startNodeManager.cmd file in the <bea_HOME>\weblogic81\server\bin directory.

This creates a nodemanager.properties file in the <bea_HOME>\weblogic81\ common\nodemanager directory.

2 Open the nodemanager.properties file.

3 Set the following properties in the nodemanager.properties file:

ListenAddress = machinename

ListenPort = 5555

ReverseDnsEnabled = true

WeblogicHome = c:\bea\weblogic81

bea.home = c:\bea

4 Save and close the nodemanager.properties file.

5 Open the installNodeMgrSvc.cmd file in the <bea_HOME>\weblogic81\server\bin directory.

Note: The WebLogic Server installation process installs Node Manager as an operating system service: a daemon on UNIX systems, or a Windows service on Windows systems.


6 Edit the installNodeMgrSvc.cmd file to specify the node manager's listen address and listen port as follows:

set NODEMGR_HOST=machineName

set NODEMGR_PORT=5555

7 Save and close the installNodeMgrSvc.cmd file.

8 Open the uninstallNodeMgrSvc.cmd file in the same directory and make the changes you made in step 6.

This enables you to uninstall the service in the future.

9 Save and close the uninstallNodeMgrSvc.cmd file.

10 Run the installNodeMgrSvc.cmd file to reinstall Node Manager as a service, listening on the updated address and port.

11 Go to the second computer and repeat the preceeding steps for the nodemanager.properties file, the installNodeMgrSvc.cmd file, and the uninstallNodeMgrSvc.cmd file.

Note: When setting the properties in the nodemanager.properties file for the second computer, do not add the ListenAddress property. Also update the ListenPort, WeblogicHome, and bea.home properties as applicable for the second computer.

12 On the first computer, open a command prompt, specify the directory <bea_HOME>\ user_projects\domains\InteropSetup, and run the startWebLogic.cmd.

13 If you are asked for a username and password, type weblogic / weblogic.

14 On the first computer, open the nodemanager.hosts file in <bea_HOME>\weblogic81\ common\nodemanager and add the computer name or IP address of the second computer where the OtherMachineServer is running.

For example:

# Host names from which the connection to the

# node manager will be accepted.

# You can edit this file manually.

# E.g. - for allowing a machine named holly to connect,

# uncomment one of the following lines based on whether

# ReverseDnsEnabled property is turned on or off.

#holly.bea.com

#172.17.24.145

192.168.159.200

hyperiontest3

15 Save and close the nodemanager.hosts file on the first computer.

16 On the second computer, open the nodemanager.hosts file in <bea_HOME>\weblogic81\ common\nodemanager and add the computer name or IP address of the first computer.

17 Save and close the nodemanager.hosts file on the second computer.


Setting Up WebLogic Deployment DescriptorsTo set up WebLogic deployment descriptors, you must add some additional tags to the weblogic.xml configuration file in <HSS_HOME>/AppServer/InstalledApps/ WebLogic/8.1/SharedServices9/interop/WEB-INF/.

Add the following tags inside the <weblogic-web-app> tag:

<session-descriptor>

<session-param>

<param-name>PersistentStoreType</param-name>

<param-value>replicated_if_clustered</param-value>

</session-param>

<session-param>

<param-name>CookieName</param-name>

<param-value>HUBSESSIONID</param-value>

</session-param>

</session-descriptor>

<container-descriptor>

<session-monitoring-enabled>true</session-monitoring-enabled>

</container-descriptor>

Also, add these tags to the two weblogic.xml configuration files in the following BEA directories:

● E:\bea\user_projects\domains\InteropSetup\apps\ BEA_Proxy_For_Cluster_InteropCluster_on_HttpProxyServer\WEB-INF

● E:\bea\weblogic81\common\nodemanager\beaweblogic81\HttpProxyServer\ stage\BEA_Proxy_For_Cluster_InteropCluster_on_HttpProxyServer\ BEA_Proxy_For_Cluster_InteropCluster_on_HttpProxyServer\WEB-INF

Add the following <init-param> tags (in bold text below) to the web.xml file under the following directories:

● E:\bea\user_projects\domains\InteropSetup\apps\ BEA_Proxy_For_Cluster_InteropCluster_on_HttpProxyServer\WEB-INF

● E:\bea\weblogic81\common\nodemanager\beaweblogic81\HttpProxyServer\ stage\BEA_Proxy_For_Cluster_InteropCluster_on_HttpProxyServer\BEA_Proxy_For_Cluster_InteropCluster_on_HttpProxyServer\WEB-INF

<servlet>

<servlet-name>HttpClusterServlet</servlet-name>

<servlet-class>weblogic.servlet.proxy.HttpClusterServlet</servlet-class>

<init-param>

<param-name>WebLogicCluster</param-name>

<param-value>host1:port1|host2:port2|host3:port3</param-value>

</init-param>


<init-param>

<param-name>CookieName</param-name>

<param-value>HUBSESSIONID</param-value>

</init-param>

</servlet>

Removing the IP Address from Config.xmlIf you are using WebLogic 8.1 with SP4, you must remove the IP Address from the config.xml file or the request from one browser in the same session gets routed to another managed server.

➤ To remove the IP Address from the config.xml file:

1 Open the config.xml file in the c:\bea\user_projects\domains\InteropSetup directory.

2 In the beginning of the config.xml file, find the following tag for clustering:

<Cluster FrontendHTTPPort="8804" FrontendHTTPSPort="7002"

FrontendHost=" 192.168.159.152 " MulticastAddress="237.0.0.101" Name="337_Cluster"/>

3 Delete the value for FrontendHost; for example, FrontendHost="".

4 Save and close the config.xml file.

Setting the PathThe procedures in this section use the following variables to refer to directories on your system:

● $BEA_DIR is the installation directory of the BEA WebLogic server; for example, in Unix, /opt/bea, and, in Windows, c:\bea.

● $HYPERION_HOME is the directory where HYPERION_HOME is set; for example, c:\hyperion (Windows) or /home/username/Hyperion (UNIX).

● $HSS_HOME is the directory in which you installed Shared Services; for example, c:\hyperion\SharedServices\9.2 (Windows) or /home/username/Hyperion/SharedServices/9.2 (UNIX).

➤ To set the path:

1 Open a browser and type the following URL:

http://localhost:7001/console

2 In the login screen type weblogic for the Username and Password.

3 After you are logged on to the WebLogic Server Console, expand the Machines node in the left frame to view the two computer names you created in the WebLogic Configuration Wizard.

4 Select the first computer listed under the Machines node.


5 In the right frame, select the Monitoring tab and view the Node Manager Status. Check that the State is RUNNING.

6 Select the second computer listed under the Machines node, select the Monitoring tab and check that the State is RUNNING for the second computer.

If the states are RUNNING, you can proceed to the next step.

7 In the left frame, click the Servers node to view the servers you created in the WebLogic Configuration Wizard. Click FirstServer under the Servers node.

8 In the right frame, click the Remote Start tab and enter the following settings:

a. Set Java Home to c:\bea\jdk142_05.

b. Set BEA Home to c:\bea.

c. Copy the jar file CR228256_81sp4_v2.jar from C:\Hyperion\SharedServices\ 9.2\AppServer\InstallableApps\WebLogic\8.1 to C:\bea\weblogic81\ server\lib.

d. Set Class Path as follows:

$BEA_DIR\weblogic81\server\lib\cr228256_81sp4_v2.jar;

$BEA_DIRweblogic81\server\lib\weblogic.jar;

$BEA_DIR\weblogic81\server\lib\ojdbc14.jar;

$BEA_DIR\weblogic81\server\lib\webservices.jar;

$BEA_DIR\jdk142_05\lib\tools.jar;

$HSS_HOME\AppServer\InstallableApps\other\Hub9_0_0ProductBean.jar;

$HSS_HOME\AppServer\InstallableApps\catalina.jar;

$HSS_HOME\AppServer\InstallableApps\other\commons-dbcp.jar;

$HSS_HOME\AppServer\InstallableApps\other\commons-collections.jar;

$HSS_HOME\AppServer\InstallableApps\other\commons-pool.jar;

$HSS_HOME\AppServer\InstallableApps\common\hyddtek.jar;

$HSS_HOME\AppServer\InstallableApps\other\jdom-b9.jar;

$HSS_HOME\AppServer\InstallableApps\common

e. Set Arguments as follows:

-server -Xms512m -Xmx512m -XX:NewSize=64m -XX:MaxNewSize=64m -XX:MaxPermSize=128m -Xss128k -XX:-UseTLAB -XX:+UseConcMarkSweepGC -XX:+DisableExplicitGC -Djava.awt.headless=true

f. Set Security Policy File to c:\bea\weblogic81\server\lib\weblogic.policy.

9 Repeat steps 6, 7, 8 for the remaining managed servers (SecondServer and OtherMachineServer).

While updating the classpath for OtherMachineServer, enter the applicable classpath for the second computer.

Note: Hyperion assumes the installation structure for WebLogic and Shared Services are identical for the computers where the Managed Servers for clustering were created.


10 In the left frame, select FirstServer, and in the right frame, select the KeyStores & SSL tab.

11 Scroll down and click Show Advanced Options.

12 Under Advanced Options, from Hostname Verification, select None.

13 Repeat steps 10, 11, and 12 for the remaining managed servers (SecondServer and OtherMachineServer).

14 In the left frame, select the first computer listed under the Machines node and update the Listen Address of HTTpProxyServer.

15 Select the Node Manager tab and add the Listen Address for each computer listed under the Machines node.

Starting the Managed Servers from the WebLogic Server Console

➤ To start the managed servers from WebLogic Server Console:

1 In the left frame, select the Interop Setup node.

2 In the right frame, click Start All Managed Servers.

3 On the WebLogic confirmation screen, click Yes.

After the servers are in Running mode, the Status column shows Task Completed for all servers.

Deploying the Web Application ModuleBefore you deploy the Web application module, perform the following steps:

● In the Domain.xml file, set the global cache to “off.” To do so, set the value of slidecache from on to off.

● In the scheduler.properties file, uncomment the following line:

org.quartz.jobStore.isClustered=true

➤ To deploy the Web application module:

1 In the left frame, expand the Deployments and Web Applications Module nodes.

2 In the right frame, click Deploy a new Web Application Module.

3 Next to the Location link, select the directory where you installed the interop.war file on your computer or the expanded interop folder.

4 Click Target Module.

5 Under Clusters, select InteropCluster.

6 Select All servers in the cluster and click Continue.

7 Accept all defaults and click Deploy.

Replicating the OpenLDAP Environment 183

Serving WebLogic WebDav Methods In a Cluster ModeIn a cluster mode, WebLogic HTTPClusterServlet has an issue with serving WebDav methods. BEA provides a patch for this issue in WLS Service Pack 4.

➤ To serve WebLogic WebDav methods in a cluster mode:

1 Find the CR228256_81sp4_v2.jar file located in the following Shared Services WebLogic directory:

%HSS_HOME%/AppServer/InstalledApps/Weblogic/8.1

2 Add the jar file to the classpath (WEBLOGIC_CLASSPATH variable in %BEA_HOME%/weblogic81/ common/bin/commEnv.cmd or .sh) before the weblogic.jar entry.

3 Remove the following classes from all weblogic.jar files on all computers where the managed servers are installed:

This JAR file is located at %BEA_HOME%/weblogic81/server/lib.

● GenericProxyServlet$ProxyConnection.class

● GenericProxyServlet$ProxyConnectionPool.class

● GenericProxyServlet.class

● HttpClusterServlet$1.class

● HttpClusterServlet$2.class

● HttpClusterServlet$RequestInfo.class

● HttpClusterServlet$Server.class

● HttpClusterServlet$ServerList.class

● HttpClusterServlet.class

Replicating the OpenLDAP EnvironmentLoad balancing and failover is also necessary in the OpenLDAP environment. This section describes how to replicate the OpenLDAP environment for load balancing and failover.

In the following procedure, $HSS_HOME is the directory in which you installed Shared Services; for example, c:\hyperion\SharedServices\9.2 (Windows) or /home/username/Hyperion/SharedServices/9.2 (UNIX).

➤ To set up a replicated environment for OpenLDAP:

1 Install and configure Shared Services on machine1.

2 Install and configure Shared Services on machine2.

3 Stop the Shared Services LDAP Service on machine1.

4 Stop the Shared Services LDAP Service on machine2.


5 Update the slapd configuration files as follows:

a. On machine1, update the $HSS_HOME\OpenLdap\slapd.conf file (Master) with the following entries:

i. Add a replica directive for each replica in slapd.conf:

replica uri=ldap://HOST_NAME_SLAVE:58089

binddn=“cn=Replicator,dc=css,dc=hyperion,dc=com”

bindmethod=simple credentials=security

Note: The second and third lines (the lines starting with binddn and bindmethod) must be preceeded with at least one white space charater to denote that the line is a continuation of the previous line. Also ensure the binddn value is not the same as the rootdn value.

ii. On machine1, configure the replication logs as follows:

❑ Create the following directory for storing the replication related log files: drive:\OpenLdap\logfiles

❑ Add a replogfile directive in the slapd.conf file: replogfile drive:\\OpenLdap\\logfiles\\slapd.replog

b. On machine2, update the <HSS_HOME>\OpenLdap\slapd.conf file (slave) with the following changes:

i. Include an updatedn line as follows:

updatedn “cn=Replicator,dc=css,dc=hyperion,dc=com”

Note: Ensure the value of the updatedn entry is the same as the binddn entry in the master slapd.conf file.

ii. Update the rootdn value to be the same as the updatedn (Replicator) value:

rootdn “cn=Replicator,dc=css,dc=hyperion,dc-com”

iii. Add the following entry for updateref:

updateref “ldap://HOST_NAME_MASTER”

For example: “ldap://192.168.159.176”

6 Copy the contents from the machine1 (Master) database directory to machine2 (Slave) database directory. Copy all database files located in the database directory specified in the slapd.conf file.

For example, copy the data under $HSS_HOME/OpenLdap/var/OpenLdap-data.

7 Update the CSS.xml configuration file as follows:

a. On machine1, update the CSS.xml file with the following entry for the slave OpenLDAP (the CSS.xml file is located at $HSS_HOME\AppServer\InstalledApps\ <appServer>\<version>\CSS.xml):

<native name=”Native Directory”>

<slaves>

<slave>

Replicating the OpenLDAP Environment 185

<url>ldap://machine2:58089</url>

<type>failover</type>

</slave>

</slaves>

</provider>

8 Start the Shared Services LDAP Service on machine1 (Master).

9 Start the Shared Services LDAP Service on machine2 (Slave).

10 Start slurpd on machine1 as follows:

● For Windows:

$HSS_HOME\openLdap\slurpd -f <masterslapdconfigfile>

For example: C:\Hyperion\SharedServices\9.2\OpenLdap\slurpd -f slapd.conf

● For UNIX:

./slurpd -f /var/Hyperion/SharedServices/9.2/openLDAP/usr/local/etc/ openldap/slapd.conf -t /var/Hyperion/SharedServices/9.2/openLDAP/usr/local/var/ openldap-slurp

from

/var/Hyperion/SharedServices/9.2/openLDAP/usr/local/libexec

where Shared Services is installed in /var/Hyperion.

● For Solaris:

a. Make a copy of the startOpenLDAP.sh file in the openLDAP folder and rename it to startSlurpd.sh (or another name you choose).

b. Open the renamed file and change the following codeline:

$OPENLDAP_HOME/usr/local/libexec/slapd -f $OPENLDAP_HOME/usr/local/etc/openldap

/slapd.conf -h ldap://wolverine:58089 -d 1

to

$OPENLDAP_HOME/usr/local/libexec/slurpd -f $OPENLDAP_HOME/usr/local/etc/openlda

p/slapd.conf -t /vol1/Hyperion/SharedServices/9.2/openLDAP/usr/local/var/openlda

p-slurp -d 1

c. Save and close the file.

Shared Services Backup and Recovery 187

A P P E N D I X

EShared Services Backup and

Recovery

This appendix describes how to back up and recover Shared Services data and configuration files in the event of a failure.

In This Appendix Backing Up Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Recovering Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Running the Sync OpenLDAP Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

188 Shared Services Backup and Recovery

Backing Up Shared ServicesBacking up Shared Services includes backing up Shared Services application server configuration files, the OpenLDAP database configuration file, and all OpenLDAP data files and log files. The Shared Services installation includes scripts that perform the backup process for you. Hyperion recommends backing up Shared Services data on a daily basis.

Note: There may be additional data files to back up for the Hyperion product you are using. For example, for Essbase you must back up an essbase.sec file in addition to the Shared Services files. See the Hyperion product documentation.

Shared Services stores data in two databases:

● A relational database

Shared Services supports several relational databases. The relational database stores the event, administrator, and metadata-services-related data. Supported database versions are listed in Chapter 3, “Planning the Shared Services Installation.” The procedures for backing up the relational database are specific to the type of database Shared Services is configured against. See the database vendor documentation for the procedure to back up relational database data.

● An OpenLDAP database

The OpenLDAP database is installed with Shared Services and is automatically configured by Shared Services. OpenLDAP stores the security-services-related data.

To ensure that Shared Services can recover from catastrophic failure, these data sources must be backed up simultaneously to ensure that the data in these sources is synchronized.

➤ To create a hot backup of OpenLDAP:

Note: Shared Services can be running while OpenLDAP is backed up.

1 Ensure that the Shared Services database is in online backup mode.

2 Run the following command:

● For Windows:

<HSS_HOME>\server\scripts\backup.bat backup_folder_name

where <HSS_HOME> is the location where Shared Services is installed and backup_folder_name is the path to the backup folder. For example:

c:\hyperion\SharedServices\9.2\server\scripts\ backup.bat c:\HSS_backup

Recovering Shared Services 189

● For UNIX:

<HSS_HOME>/server/scripts/backup.sh backup_folder_name


/home/username/Hyperion/SharedServices/9.2/server/scripts/ backup.sh /home/username/HSS_backup

3 Optional: Copy the backup folder to a backup device such as a CD-ROM, alternate disk, or tape.

Files Backed UpThese files are backed up:

Recovering Shared ServicesTo recover Shared Services from a catastrophic failure, configuration files and data files must be restored, and the Sync OpenLDAP utility should be run. The Shared Services installation includes scripts that perform the recovery process for you.

To recover Shared Services data, the relational database and the OpenLDAP database must be recovered. When recovering from backups, ensure the time stamp of the OpenLDAP database backup and the time stamp of the relational database backup match (or are close). The procedures for recovering the relational database are specific to the type of database Shared Services is configured against. See the database vendor documentation for the procedure to recover the data in the relational database.

Directory Files

<HSS_HOME>\AppServer\InstalledApps\appServer\version\ Domain.xml

slide.properties

CSS.xml

WorkflowEngine.properties

Scheduler.properties

manage_data.properties

<HSS_HOME>\OpenLDAP slapd.conf

<HSS_HOME>\OpenLDAP\var\openldap-data *.bdb files

log.* files

190 Shared Services Backup and Recovery

➤ To recover Shared Services:

1 On Windows, stop the OpenLDAP service (Hyperion SharedServices9 OpenLDAP).

2 To perform a normal (non-catastrophic) recovery, run the following command:

● For Windows:

<HSS_HOME>\server\scripts\recover.bat backup_folder_name


c:\hyperion\SharedServices\9.2\server\scripts\ recover.bat c:\HSS_backup

● For UNIX:

<HSS_HOME>/server/scripts/recover.sh backup_folder_name


/home/username/Hyperion/SharedServices/9.2/server/scripts/ recover.sh /home/username/HSS_backup

The recover script picks up the backed up configuration and data files from the backup directory and places them in the appropriate directory under <HSS_HOME>. For the list of restored files, see “Files Backed Up” on page 189.

3 To perform a catastrophic recovery, run the following command:

● For Windows:

<HSS_HOME>\server\scripts\recover.bat backup_folder_name

catRecovery


c:\hyperion\SharedServices\9.2\server\scripts\ recover.bat c:\HSS_backup catRecovery

● For UNIX:

<HSS_HOME>/server/scripts/recover.sh backup_folder_name catRecovery


/home/username/Hyperion/SharedServices/9.2/server/scripts/ recover.sh /home/username/HSS_backup catRecovery

The recover script picks up the appropriate configuration and data files from the backup directory and places them in the appropriate directory under <HSS_HOME>.

Running the Sync OpenLDAP UtilityTo ensure that the Shared Services relational database and the Shared Services OpenLDAP database are in sync, run the Sync OpenLDAP utility. See “Sync OpenLDAP Utility” on page 201.

Sample Configuration XML Files 191

A P P E N D I X

FSample Configuration XML Files

When you use the Shared Services External Authentication Provider Configuration Console to set up external authentication, the console writes your configuration information to the CSS.xml file packaged with Shared Services.

The CSS.xml file is located on the computer hosting Shared Services, at:

<HSS_HOME>\AppServer\InstallableApps\common\CSS.xml

where <HSS_HOME> represents the directory where Shared Services was installed.

Completion of the Shared Services configuration populates most of the XML file, but there are some additional elements you can configure. See “Additional Configuration Elements” on page 88.

In This Appendix Basic XML Configuration Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Extended XML Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

192 Sample Configuration XML Files

Basic XML Configuration ExampleThis topic shows a sample XML configuration file containing the basic elements (XML tags) you can configure to enable external authentication for Shared Services and other Hyperion products.

<?xml version="1.0" encoding="UTF-8" ?> <css xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <spi> <provider> <ntlm name="ntlmServer"> <trusted>false</trusted> <domain>THIS_IS_DOMAIN_NAME</domain> </ntlm> <ldap name="ldapServer"> <trusted>true</trusted> <url>ldap://host:portNo/DIT</url> <userDN>cn=User Name</userDN> <password>userPassword</password> <user> <url>ou=People</url> </user> <group> <url>ou=Groups</url> </group> </ldap> <msad name="msadServer"> <trusted>false</trusted> <url>ldap://host:PortNo/DIT</url> <userDN>cn=UserName</userDN> <password>UserPassword</password> <user> <url>ou=people</url> </user> <group> <url>ou=Groups</url> </group> </msad> </provider> </spi> <searchOrder> <el>ntlmServer</el> <el>ldapServer</el> <el>msadServer</el> </searchOrder> <logger> <priority>FATAL</priority> </logger> </css>

Extended XML Configuration Example 193

Extended XML Configuration ExampleThis topic shows a sample XML configuration file containing basic and additional elements (XML tags) you can configure to enable external authentication for Shared Services and other Hyperion products.

<?xml version="1.0" encoding="UTF-8" ?> <css xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <spi> <provider> <ntlm name="ntlmServer"> <trusted>false</trusted> <domain>THIS_IS_DOMAIN_NAME</domain> <maxSize>300</maxSize> <remoteServer> <location>//localhost:58000/NTLMImpl</location> </remoteServer> </ntlm> <ldap name="ldapServer"> <trusted>true</trusted> <url>ldap://host:portNo/DIT</url> <userDN>cn=User Name</userDN> <password>userPassword</password> <authType>simple</authType>  <authProtocol>ssl</authProtocol> <maxSize>200</maxSize> <identityAttribute>dn</identityAttribute> <user> <url>ou=People</url> <loginAttribute>uid</loginAttribute> <fnAttribute>givenname</fnAttribute> <snAttribute>sn</snAttribute> <emailAttribute>mail</emailAttribute> <objectclass> <entry>person</entry> <entry>organizationalPerson</entry> <entry>inetOrgPerson</entry> </objectclass> </user> <group> <url>ou=Groups</url> <nameAttribute>cn</nameAttribute> <objectclass> <entry>groupofuniquenames?uniquemember</entry> <entry>groupOfNames?member</entry> </objectclass> </group> </ldap> <msad name="msadServer"> <trusted>false</trusted> <url>ldap://host:PortNo/DIT</url> <userDN>cn=UserName</userDN> <password>UserPassword</password> <authType>simple</authType>  <authProtocol>ssl</authProtocol>

194 Sample Configuration XML Files

<maxSize>200</maxSize> <identityAttribute>dn</identityAttribute> <user> <url>ou=people</url> <loginAttribute>uid</loginAttribute> <fnAttribute>givenname</fnAttribute> <snAttribute>sn</snAttribute> <emailAttribute>mail</emailAttribute> <objectclass> <entry>person</entry> <entry>organizationalPerson</entry> <entry>inetOrgPerson</entry> </objectclass> </user> <group> <url>ou=Groups</url> <nameAttribute>cn</nameAttribute> <objectclass> <entry>groupofuniquenames?uniquemember</entry> <entry>groupOfNames?member</entry> </objectclass> </group> </msad> </provider> </spi> <searchOrder> <el>ntlmServer</el> <el>ldapServer</el> <el>msadServer</el> </searchOrder> <token> <timeout>60</timeout> </token> <logger> <priority>FATAL</priority> </logger>  </css>

Troubleshooting the Shared Services Installation 195

A P P E N D I X

GTroubleshooting the Shared

Services Installation

Topics in this appendix include:

In This Appendix Shared Services Log Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Debugging Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Shared Services Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Setting Log Levels for the OpenLDAP Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Troubleshooting OpenLDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Utilities for Troubleshooting Shared Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Accessing the User Management Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Note: <HSS_HOME> is the directory in which you installed Shared Services; for example, c:\Hyperion\SharedServices\9.2. on Windows and /home/username/Hyperion/SharedServices/9.2 on UNIX.

196 Troubleshooting the Shared Services Installation

Shared Services Log Configuration FilesTwo main log configuration files enable you to configure the log level settings for Shared Services:

● CSS.xml

● HSSLogger.properties

The location of these files varies depending on the application server you are using. For example, if you installed Shared Services 9.2.1 with Tomcat 5.0.28 as the application server, these files would be located in <HSS_HOME>\AppServer\InstalledApps\Tomcat\5.0.28.

Debugging Shared ServicesYou can adjust the level of log messages to “DEBUG” for the following Shared Services components:

● For external authentication and single sign-on:

i. Launch the Shared Services External Authentication Configuration Console.

ii. In the Additional Configuration section, locate Logging Level.

iii. In Logging Level, select DEBUG.

iv. Click Save.

Changes are written to the CSS.xml file.

● For Shared Services models, open the HSSlogger.properties file and set the value for log4j.logger.com.hyperion.eie to DEBUG. For example, log4j.logger.com.hyperion.eie=DEBUG. Save your changes.

● For the Shared Services User Management Console, open the HSSlogger.properties file and set the value for log4j.logger.com.hyperion.cas to DEBUG. For example, log4j.logger.com.hyperion.cas=DEBUG. Save your changes.

● For Shared Services taskflows, open the HSSlogger.properties file and set the values for the following to DEBUG:

❍ log4j.logger.com.hyperion.workflow

❍ log4j.logger.com.hyperion.ces

❍ log4j.logger.com.hyperion.dsf

Save your changes.

You must restart Shared Services after making changes to the log levels settings.

Setting Log Levels for the OpenLDAP Database 197

Shared Services Log Files

Most of the preceding server logs are located in the Shared Services logs directory. For example:

● For Tomcat, the logs are located at <HSS_HOME>\AppServer\InstalledApps\ Tomcat\5.0.28\SharedServices9\logs.

● For Weblogic, the logs are located at <HSS_HOME>\AppServer\InstalledApps\ WebLogic\<version>\SharedServices9\logs.

● For Websphere, the logs are located at <HSS_HOME>\AppServer\InstalledApps\ Websphere\5.x\SharedServices9\logs.

In addition to the preceding locations, the External Authentication client log (SharedServices_Security_Client.log) file is located in the Temp directory of the product using the external authentication client. The location of the Temp directory varies based on the application server and platform you are using.

Setting Log Levels for the OpenLDAP DatabaseThe OpenLDAP database stores the security services-related data. Shared Services automatically installs OpenLDAP as a Windows service, configures it, and starts OpenLDAP after installation. But you can set various log levels for the OpenLDAP database, if necessary.

Log level settings for OpenLDAP are a flag or parameter that is passed during OpenLDAP startup and operations are logged in the OpenLDAP server console. Log levels for OpenLDAP are not set in a configuration file, instead they are included as part of the startup command. The following table lists the various startup commands for OpenLDAP. For Windows, the

Log File Topic About Which Information Is Logged

SharedServices_Security.log External authentication and single sign-on

SharedServices_Admin.log User management

SharedServices_Metadata.log Metadata management and registration

SharedServices_Taskflow.log Taskflow

SharedServices_Taskflow_CMDExecute.log Scheduling

SharedServices_Taskflow_Optimize.log Scheduling

SharedServices_SyncOpenLDAP.log Utility that synchronizes OpenLDAP and relational data sources

SharedServices_Security_Client.log External authentication client

Note: In previous releases, the HyperionCSS.log file.


OpenLDAP Windows service is automatically configured with the -d flag. For UNIX, the startup script for OpenLDAP has the option. The setting of this flag is taken care of by the installer.

Some examples:

If you start OpenLDAP with the following command:

slapd -d 0

No details are logged in the OpenLDAP server console.

Conversely, if you start OpenLDAP with the following command:

slapd -d -1

All details of every operation carried out are logged in the OpenLDAP server console.

To selectively enable the log level for viewing access control list processing, start OpenLDAP using the following command:

slapd -d 128

The OpenLDAP server console displays access control data like which user has what kind of access on a particular resource.

Table 2 OpenLDAP Startup Commands

OpenLDAP Startup Command Log Details Description

slapd -d -1 Enable all debugging Provides the most logs. Logs include every transaction or query done with OpenLDAP.

slapd -d 0 No debugging No logs are provided.

slapd -d 1 Trace Traces function calls in OpenLDAP

slapd -d 2 Debug packet handling Enables debugging of packet handling in OpenLDAP

slapd -d 4 Heavy trace debugging Provides a huge amount of trace with data searched in database

slapd -d 8 Connection management Displays all data available in database with its internal process logs

slapd -d 16 Print out packets sent and received Displays all packets sent & received

slapd -d 32 Search filter processing Displays all filter and search data available in OpenLDAP

slapd -d 64 Configuration processing Displays configured data like Object class and its attributes, and so on

slapd -d 128 Access control list processing Displays access control data like which user has what kind of access on a particular resource

Troubleshooting OpenLDAP 199

Troubleshooting OpenLDAPIf you are having problems connecting to the Shared Services OpenLDAP database on a specific machine, try changing the host name to an IP address in these files:

Windows—

<HSS_HOME>\AppServer\InstalledApps\<AppServName>\<version>\CSS.xml

where <HSS_HOME> is the location where Shared Services is installed, <AppServName> is the name of the application server you deployed to, and <version> is the application server release number. For example:

c:\Hyperion\SharedServices\9.2\AppServer\InstalledApps\Tomcat\ 5.0.28\CSS.xml

In the CSS.xml file, find “hostname” and replace it with the IP address:



</hub>

slapd -d 256 Stats log connections/operations/results

Displays add/modify/delete operations on a particular resource. (The -1 option displays this as well, but the 256 option provides fewer logs than the -1 option.)

slapd -d 512 Stats log entries sent Displays connection number, operation number, and the DN values

slapd -d 1024 Print communication with shell backends

Displays index properties of each attribute in an object class

slapd -d 2048 Print entry parsing debugging Provides schema-level detail

slapd -d 4096 Database cache processing Displays database cache processing data like index parameters and so on.

slapd -d 8192 Database indexing Provides database index details

slapd -d 16384 Syncrepl consumer processing Displays replica processing operations (master/slave OpenLDAP configuration)

Table 2 OpenLDAP Startup Commands (Continued)

OpenLDAP Startup Command Log Details Description


UNIX—

❍ <HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/CSS.xml

where <HSS_HOME> is the location where Shared Services is installed, <AppServName> is the name of the application server you deployed to, and <version> is the application server release number. For example:

/home/username/Hyperion/SharedServices/9.2/AppServer/ InstalledApps/Tomcat/5.0.28/CSS.xml

In the CSS.xml file, find “hostname” and replace it with the IP address:



</hub>

❍ <HSS_HOME>/openLDAP/startOpenLDAP.sh

where <HSS_HOME> is the location where Shared Services is installed. For example:

/home/username/Hyperion/SharedServices/9.2/openLDAP/ startOpenLDAP.sh

In the startOpenLDAP.sh file, find “hostname” and replace it with the IP address:

$OPENLDAP_HOME/usr/local/libexec/slapd -f $OPENLDAP_HOME/usr/local/etc/openldap

/slapd.conf -h ldap://hostname:58089

Utilities for Troubleshooting Shared ServicesVarious utilities can be used to help troubleshoot Shared Services. See the following list for descriptions of these utilities:

Viewing the CSS.xml FileYou can verify external authentication providers, native providers, and the CSS.xml file in general using the following URL:

http://localhost:58080/interop/framework/getCSSConfigFile

http://localhost:58080/interop/framework/getCSSConfigFile

Utilities for Troubleshooting Shared Services 201

Sync OpenLDAP UtilityThe relational database and the OpenLDAP database may sometimes get out of sync. You recognize this if there is an inconsistency related to applications or projects. Shared Services provides a utility to help synchronize these differences.

➤ To synchronize the relational and OpenLDAP databases:

1 Start the Shared Services External Authentication Configuration Console.

For instructions, see “Launching the External Authentication Configuration Console” on page 74.

2 Log on to the External Authentication Configuration Console.

3 Select Configuration > Sync OpenLDAP.

Shared Services synchronizes the relational and OpenLDAP databases.

Note: The Sync OpenLDAP utility does not synchronize provisioning details for users and groups on applications.

OpenLDAP RecoveryFor details about using the recovery utilities, see Appendix E, “Shared Services Backup and Recovery.”

Validating ClasspathsShared Services provides the following utility to validate classpaths:

http://localhost:58080/interop/jsp/config/tools/where_is.jsp

Note: This is a prototype utility. This utility is not tested for portability across platforms, and so on.

Determining the System Properties in the Java Virtual Machine (JVM)Shared Services provides the following utility to help determine the system properties in the JVM:

http://localhost:58080/interop/jsp/config/tools/java_system_props.jsp

Note: This is a prototype utility. This utility is not tested for portability across platforms, and so on.

http://localhost:58080/interop/jsp/config/tools/where_is.jsp

http://localhost:58080/interop/jsp/config/tools/java_system_props.jsp


Accessing the User Management ConsoleAs a best practice when accessing the User Management Console on the computer where Shared Services server is running, the URL to access the console should use an IP address or a fully qualified computer name that includes the domain name. For instructions to launch User Management Console, see “Verifying Successful Startup” on page 51.

For complete information about using the User Management Console, see the Hyperion Shared Services User Management Guide.

Index A 203

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Index

AActive Directory

Base DN, 76

host name, 76

port number, 76

referrals support, 94

Active Directory deployment scenario, 111, 114 to 116

address, of LDAP/MSAD provider, 76

AIX

versions supported, 24

AIX platform

JDK installation, 36

Anonymous bind, 76

Apache Tomcat application server

software requirements, 23 to 24

version supported, 13

application servers

Apache Tomcat, 23 to 24

BEA WebLogic, 23 to 24

clustering, 164

hardware requirements, 22 to 23

IBM WebSphere, 23 to 24

Oracle, 23 to 24

software requirements, 24


authentication repository, defined, 64

authentication, timeout setting, 87

Authorization Type, 79

Bbacking up, Shared Services data, 187

Base DN, LDAP/MSAD, 76

BEA WebLogic application server

configuring for Shared Services, 141 to 142

default session timeout, 54

enabling HTTPS for version 8.1, 53

requirements, 26



binding anonymously, 76

browsers

requirements, 22

settings, 23

Ccell manager, defined, 165

cell, defined, 164

classpaths, validating, 201

clustering

about, 164

horizontal, 165

setting up Shared Services using, 163

vertical, 165

WebLogic application servers, 175

WebSphere 5.1.1, 167

configuration

for external authentication, 73

for Shared Services server, 41

configuration file, defined, 64

configuration files, backing up, 188

Configuration Utility

application server deployment, 47

database configuration, 44

database user rights, 42

described, 42

launching, 43

log file, 55

mail server configuration, 46

204 Index D


order of tasks, 43

ports for application servers, 47

ports for databases, 44

prerequisites, 42

reconfiguration, 54

task list, 42

troubleshooting, 55

upgrades and, 43

CONNECT privilege, 25

cookies, enabling, 23

CREATE privilege, 25

CREATE TRIGGER, DROP TRIGGER AND MODIFY TRIGGER privilege, 25

CSS.xml file

manually configuring, 88

samples, 191

viewing, 200

custom installation, 35

custom object-class entries

for LDAP/MSAD groups, 93

for LDAP/MSAD users, 92

Ddatabases

backing up, 188

hardware requirements, 22

IBM DB2, 24

MySQL, 24

Oracle, 24

recovering data, 189

SQL Server, 24

supported, 13

DB2 databases


debug

logging level, 87

Shared Services, 196

deployment scenario

Active Directory, 111, 114 to 116

LDAP, 110, 114 to 115, 117

NT LAN Manager, 112 to 115, 118 to 119

directory, home, 34

disk space requirements, 22

documentation, for Shared Services, 15

documents, accessing

Hyperion Download Center, 16

Hyperion Solutions Web site, 16

Information Map, 16

online help, 16

Domain property for NT LAN Manager configuration, 81

Ee-mail attribute, 91

e-mail server, configuring, 46

error messages, configuring, 87

error, logging level, 87

exporting provisioning data, 15

external authentication, 34

configuration, 73

debug, 196

defined, 64

deleting a provider, 95

introduction, 61

External Authentication Configuration Console, about, 14

Ffatal, logging level, 87

files installed, 35

first-name attribute, 90

fnAttribute property, 90

folders installed

HSS_HOME directory, 35

HYPERION_HOME directory, 36

Ggroup name attribute, 93

Group URL, 77

groups, location of in directory, 77

Hhardware load balancer, using, 166

hardware requirements

application Web server, 22 to 23

databases, 22

overview, 22

home directory, 34

horizontal clustering, 165

host name, LDAP/MSAD, 76

HP-UX

Index I 205



HTTPS, enabling for WebLogic version 8.1, 53

Hub, uninstalling, 58

Hyperion Configuration Utility. See Configuration Utility

Hyperion Home, 36

Hyperion Hub, uninstalling, 58

Hyperion License Server, 12

Hyperion product, default port numbers, 27

Hyperion Remote Authentication Module, 81

Hyperion security platform, about, 16

HYPERION_HOME environment variable, 36

IIBM DB2 databases


IBM WebSphere application server

configuring for Shared Services, 123

requirements, 26

versions supported, 14, 23 to 24

identity, defined, 64

import/export utility (provisioning data), 15

importing provisioning data, 15

info, logging level, 87

install setup program, 33

installation

hardware requirements, 22

JDBC drivers, 13

location, 34

overview, 11

planning, 21

post installation tasks, 40

running silent, 39

setup program, 33


uninstalling, 58

wizard, 33

installation checklist, 17

installing

Shared Services, 31

JJava application server requirements, 23

Java database connectivity (JDBC) driver requirements, 23

Java Development Kit (JDK), 34

Java script, enabling, 23

Java Virtual Machine (JVM)

determining the system properties in, 201

JDBC drivers, installing, 13

LLDAP

adding or configuring the provider, 75

Base DN, 76

host name, 76

port number, 76

provider configuration name, 75

LDAP deployment scenario, 110, 114 to 115, 117

License Server, 12

Linux


load balancing

about, 165

defined, 165

hardware, 166

software, 167

logging levels

configuring the preferred logging priority, 87

setting for Shared Services, 196

setting for the OpenLDAP database, 197

login attribute, 89

login, expiration setting, 87

logs

configuration files, 196

list of Shared Services log files, 197

setting messages to debug, 196

Mmail server, configuring, 46

managed server, defined, 164

manual configuration of CSS.xml file, 88

maximum result-set size

from query of LDAP/MSAD, 79

from query of NTLM, 82

maxSize property (LDAP/MSAD), 79

maxSize property (NTLM), 82

memory requirements

relational database, 22

Shared Services, 22

messages, configuring, 87

206 Index N


Microsoft Active Directory



Microsoft SQL Server databases


MySQL databases


MySQL service, 35

NnameAttribute property, 93

Netegrity SiteMinder, 63

Network File System (NFS) protocol, 26

NFS protocol, 26

node agent, defined, 164

node, defined, 164

NT LAN Manager


configuration pre-requisites, 69

domain specification, 81


Remote Authentication Module, 81

required user rights, 69

NT LAN Manager deployment scenario, 112 to 115, 118 to 119

Oobject-class entries

for LDAP/MSAD groups, 93

for LDAP/MSAD users, 92

OpenLDAP database

and NFS, 26

backing up, 188

exporting, 15

recovery, 201

setting log levels for, 197

setting up SSL on, 98

synchronizing with the relational database, 201

OpenLDAP environment, replicating, 183

OpenLDAP service, 35

OpenLDAP startup commands, 198

Oracle application server




Oracle databases, 24

minimum privileges, 25

ou value, 77

Ppasswords

and trust settings (LDAP/Active Directory), 77

and trust settings (NTLM), 82

planning installations, 21

port numbers

about default, 27

default for Remote Method Invocation (RMI) servers, 28

LDAP/MSAD, 76

post installation tasks, 40

privileges required for Oracle databases, 25

processor requirements, 22

properties not available in Shared Services, 88

property element for MSAD referrals support, 94

provider

deleting, 95

provider configuration name (LDAP/MSAD), 75

provider configuration name (NTLM), 80

provisioning data

exporting, 15

importing, 15

proxy plug-in, using, 167

Rrecovering

OpenLDAP database, 201

Shared Services data, 187

referrals, Active Directory, 94

relational databases

backing up, 188

recovering data, 189


supported, 13

synchronizing with the OpenLDAP database, 201

relational server requirements, 22

Remote Authentication Module

deployment scenario, 119

specifying a location, 81

Remote Method Invocation (RMI) servers, default port numbers for, 28

Index S 207


requirements

browsers, 22

databases, 22

disk space, 22

hardware, 22

memory

relational database, 22

Shared Services, 22

relational server, 22

Shared Services server, 22

Shared Services software, 23

software, 22 to 23

Web server, 22

RESOURCE privilege, 25

results

setting maximum size (LDAP/MSAD), 79

setting maximum size (NTLM), 82

Ssample configurations, 191

SAP


prerequisites, 84

single sign-on and, 83

users, roles, and activity groups, 86

search order for providers, setting, 86

Secure Sockets Layer (SSL)

enabling, 79, 97

setting up on OpenLDAP, 98

setting up on Tomcat, 99

security agent

about, 63

defined, 64

SSL, 97

security platform

about, 16

defined, 64

security, about, 16

services

installed with Shared Services, 35

session timeout, Weblogic on HP-UX, 54

setup program, 33

Shared Services

about, 12

backing up, 188

components, 12

configuring BEA WebLogic application server, 141 to 142

configuring for external authentication, 73

configuring IBM WebSphere application servers, 123

configuring Oracle application server, 153

custom installation, 35

debugging, 196

default port numbers, 27

documentation, 15

folders/files installed, 35

installation checklist, 17

installation location, 34

installation sequence, 17

introduction, 12

location of files, 34

log configuration files, 196

log files, 197

reconfiguring, 54

running silent installations, 39

server components, 12

server requirements, 22

setting up on multiple servers, 28

setting up using clustering, 163


starting, 50

stopping, 52

supported application servers, 13

supported databases, 13

typical installation, 35

uninstalling, 58

upgrading, 32

user management, 16

utilities for troubleshooting, 200

Shared Services data, backup and recovery, 187

Shared Services databases, about, 188

Shared Services installation, overview, 11

Shared Services mail server, 46

Shared Services models, debugging, 196

Shared Services taskflows, debugging, 196

Shared Services User Management Console

accessing, 202

debugging, 196

SharedServices_Admin.log file, 197

SharedServices_Metadata.log file, 197

208 Index T


SharedServices_Security.log file, 197

SharedServices_Security_Client.log file, 197

SharedServices_SyncOpenLDAP.log file, 197

SharedServices_Taskflow.log file, 197

SharedServices_Taskflow_CMDExecute.log file, 197

SharedServices_Taskflow_Optimize.log file, 197

shutdown

commands


port numbers, 27

shutting down Shared Services, 52

silent installations, running, 39

single sign-on

defined, 64

overview, 61

SiteMinder

and trust settings, 78

deployment scenario, 120

using, 63

snAttribute property, 91

software load balancer

using, 167

software requirements

overview, 22

Shared Services, 22

summary, 23

Solaris


SQL Server databases


SSL

enabling, 79, 97

port numbers, 27

setting up on OpenLDAP, 98

setting up on Tomcat, 99

starting Shared Services, 50

startup

commands

for OpenLDAP, 198


port numbers, 27

verifying, 51

stopping Shared Services, 52

surname attribute, 91

Ttimeout, for an authentication token, 87

timeout, WebLogic on HP-UX, 54

tokens

about, 62

and trust settings (LDAP/Active Directory), 77

and trust settings (NTLM), 82

defined, 64

timeout, 87

Tomcat application server

setting up SSL on, 99


trust setting

LDAP/Active Directory, 77

NT LAN Manager, 82

typical installation, 35

Uuninstalling Shared Services, 58

upgrading Shared Services, 32

URL

for CSS.xml file, 200

of LDAP/MSAD provider, 76

user account, default for connecting to a directory, 76

User DN and Password, 76

user entries, uniquely identifying in LDAP/MSAD, 89

user list

maximum size of (LDAP/MSAD), 79

maximum size of (NTLM), 82

user management

about, 16

introduction, 61

User Management Console

about, 15

accessing, 202

launching

URL

for User Management Console, 51

user policies, required for NT LAN Manager, 69

user provisioning, introduction, 61

User URL, 77

users, location of in directory, 77

utilities

backup/recover, 188

determining the system properties in the JVM, 201

Index V 209


for troubleshooting Shared Services, 200

sync OpenLDAP, 201

to validate classpaths, 201

Vvalidating classpaths, 201

verifying startup, 51

vertical clustering, 165

Wwarn, logging level, 87

Web access management solutions, using, 63

Web application servers, supported versions, 13

Web server, hardware requirements, 22 to 23

WebLogic application server

clustering, 175

configuring for Shared Services, 141 to 142

default session timeout, 54

enabling HTTPS for version 8.1, 53

requirements, 26


WebSphere application server

clustering version 5.1.1, 167


requirements, 26


Windows


Windows services

installed with Shared Services, 35

starting, 50

wizard, installation, 33

XXML

sample configurations, 191

210 Index X


Index X 211


212 Index X


hss install

Documents