Hss Install

HYPERION
SHARED SERVICES
RELEASE 9.2.1
INSTALLATION GUIDE
Hyperion Shared Services, Release 9.2.1 Installation Guide Copyright 2004, 2007, Oracle and/or its affiliates. All rights reserved. Authors: Michelle Cohen The Programs (which include both the software and documentation) contain proprietary information; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrial property laws. Reverse engineering, disassembly, or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited. The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose. If the Programs are delivered to the United States Government or anyone licensing or using the Programs on behalf of the United States Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are commercial computer software or commercial technical data pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the Programs, including documentation and technical data, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement, and, to the extent applicable, the additional rights set forth in FAR 52.227-19, Commercial Computer Software--Restricted Rights (June 1987). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065. The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup, redundancy and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and we disclaim liability for any damages caused by such use of the Programs. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. The Programs may provide links to Web sites and access to content, products, and services from third parties. Oracle is not responsible for the availability of, or any content provided on, third-party Web sites. You bear all risks associated with the use of such content. If you choose to purchase any products or services from a third party, the relationship is directly between you and the third party. Oracle is not responsible for: (a) the quality of third-party products or services; or (b) fulfilling any of the terms of the agreement with the third party, including delivery of products or services and warranty obligations related to purchased products or services. Oracle is not responsible for any loss or damage of any sort that you may incur from dealing with any third party.
Contents
CHAPTER 1 Oracles Hyperion Shared Services Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Hyperion Shared Services Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Shared Services Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Shared Services Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Shared Services Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Hyperion Security Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Shared Services User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 CHAPTER 2 Shared Services Installation Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 CHAPTER 3 Planning the Shared Services Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Relational Database Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Shared Services Server Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Shared Services Component Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Browser Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Software Requirements Summary Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Installation Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Port Numbers Used By Hyperion Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Default Port Numbers for Remote Method Invocation (RMI) Servers . . . . . . . . . . . . . . . 28 Setting Up Shared Services on Multiple Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 OpenLDAP Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Shared Services Backup and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Sample Shared Services Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Standard Shared Services Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Shared Services with Replicated Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Sample Configuration of Clustered Shared Services with Replicated Databases . . . . . . . . 30 CHAPTER 4 Installing and Upgrading Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Upgrading Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Launching Installers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Running the Installation Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Contents
iii
What Happens During Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Files Installed in the HSS_HOME Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Installing JDK on AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 About Hyperion Home . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hyperion Home Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Files Installed in the HYPERION_HOME Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing the Hyperion Home Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 37 37 38
Running Silent Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Postinstallation Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 CHAPTER 5 Configuring and Setting Up Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Hyperion Configuration Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Task Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Configuring Product Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Launching the Configuration Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Configuring Relational Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Changing the Database Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Configuring the Mail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Deploying Shared Services to an Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Postconfiguration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Backing Up Shared Services Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Starting Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Verifying Successful Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Stopping Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deploying WebLogic When Connected Through a Proxy Server . . . . . . . . . . . . . . . . . . . Enabling HTTPS for WebLogic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Updating the Default Session Timeout for WebLogic 8.1 on HP-UX . . . . . . . . . . . . . . . . 51 52 53 53 54
Reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Configuration Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 CHAPTER 6 Uninstalling Shared Services and Hyperion Hub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 About Uninstalling Shared Services and Hyperion Hub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Uninstalling Shared Services and Hyperion Hub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Uninstalling Hyperion Hub Release 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Uninstalling Hyperion Hub Release 7.0.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Uninstalling Hyperion Hub Release 7.2.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Uninstalling Shared Services Release 9.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 58 58 59 59
CHAPTER 7 About External Authentication and Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 About External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 About Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 About Support for SiteMinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
iv
Contents
External Authentication and Single Sign-On Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 CHAPTER 8 Implementing Hyperion External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Workflow for Setting Up External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Preparing to Implement External Authentication and Single Sign-On . . . . . . . . . . . . . . . . . . . 66 CHAPTER 9 Using NT LAN Manager for External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Setting Up User Rights for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Setting Up User Rights on Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Setting Up User Rights on Windows 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 UNIX Application Support for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Multiple-Domain Support for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 CHAPTER 10 Configuring External Authentication for Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 How Configuration Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Launching the External Authentication Configuration Console . . . . . . . . . . . . . . . . . . . . . . . . 74 Adding or Editing an LDAP or MSAD Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Naming the Provider Configuration (Required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Specifying Hostname, Port, and Base DN (Required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Setting a Read-Only User Account or Selecting an Anonymous Bind (Required) . . . . . . 76 Specifying the Location of Users (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Specifying the Location of Groups (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Specifying the Provider Trust Setting (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Setting Maximum Result-Set Size (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Setting Authorization Type (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Completing the Configuration (Required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Adding or Editing an NT LAN Manager Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Naming the Provider Configuration (Required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Specifying the Domain (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Specifying a Remote Authentication Module Location (Optional) . . . . . . . . . . . . . . . . . . 81 Specifying the Provider Trust Setting (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Setting Maximum Result-Set Size (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Completing the Configuration (Required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Working with an SAP Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Adding an SAP Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Provisioning SAP Users/Activity Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Setting the Search Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Setting the Token Time-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Configuring the Preferred Logging Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Enabling the Security Agent for Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Additional Configuration Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Configuring the User Login Attribute (Optional, LDAP/MSAD Only) . . . . . . . . . . . . . . . 89 Configuring the User First-Name Attribute (Optional, LDAP/MSAD Only) . . . . . . . . . . 90
Contents
Configuring the User Surname Attribute (Optional, LDAP/MSAD Only) . . . . . . . . . . . . Configuring the User E-mail Attribute (Optional, LDAP/MSAD Only) . . . . . . . . . . . . . Adding Custom User Object-Class Entries (Optional, LDAP/MSAD Only) . . . . . . . . . . Configuring the Group Name Attribute (Optional, LDAP/MSAD Only) . . . . . . . . . . . . Adding Custom Group Object-Class Entries (Optional, LDAP/MSAD Only) . . . . . . . . . Adding Referral Support (Optional, MSAD Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
91 91 92 93 93 94
Deleting a Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Notes About User and Group Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Configuring SiteMinder Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the SiteMinder Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the SiteMinder Web Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling SiteMinder Authentication in the Shared Services Configuration . . . . . . . . . . . Deployment Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Secure Sockets Layer (SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling the Use of SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting Up SSL on OpenLDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting Up SSL on Apache Tomcat 5.0.28 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 96 96 97 97 97 98 98 99
CHAPTER 11 Using the Hyperion Remote Authentication Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 About the Hyperion Remote Authentication Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 UNIX Application Support for NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Multiple-Domain Support for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Installing the Remote Authentication Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Configuring and Starting the Remote Authentication Module . . . . . . . . . . . . . . . . . . . . . . . . 106 CHAPTER 12 Sample External Authentication Deployment Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Single LDAP Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Single Microsoft Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 UNIX Application and Single NTLM Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Windows Application and Single NTLM Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 UNIX Application Against LDAP, MSAD, and NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Windows Application Against LDAP, MSAD, and NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Multiple MSAD Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Multiple LDAP Directory Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Multiple NTLM Domains with Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Multiple Untrusted NTLM Domains Connected with Hyperion Remote Authentication Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Single Sign-On with SiteMinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Deployment References from LDAP Product Vendors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 APPENDIX A Manual Deployment to WebSphere Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Location References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
vi
Contents
Basic Deployment Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Define Environment Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Create the Shared Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Add a Transport Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Deploy the WAR File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Override Session Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Change the HTTP Cookie Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Increase JVM Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Modify Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Detailed Deployment Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 WebSphere 5.1.1.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 WebSphere 6.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Increasing the Memory Allocation for JVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Troubleshooting the WebSphere Application Server Configuration . . . . . . . . . . . . . . . . 134 Modifying Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Driver Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Adapter Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Files To Modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 APPENDIX B Manual Deployment to WebLogic Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Location References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Basic Deployment Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Create a New WebLogic Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Unpackage the WAR File and Copy Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Deploy the Web Application Modules to the SharedServices Server . . . . . . . . . . . . . . . . 144 Modify Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Update the Classpath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Copy/Modify Additional Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Detailed Deployment Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Modifying Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Driver Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Adapter Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Files To Modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 APPENDIX C Manual Deployment to Oracle 10g Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Location References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Basic Deployment Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Modify Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Deploy the Web Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Set the Classpaths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Contents
vii
Change the Oracle HTTP Server Listen Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Detailed Deployment Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Modifying Files After Manual Application Server Configuration . . . . . . . . . . . . . . . . . . . . . . Driver Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adapter Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Files To Modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 158 158 158 159
APPENDIX D Setting Up Shared Services Using Clustering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 About Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 About Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Using a Hardware Load Balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Using a Software Load Balancer (Proxy Plug-In) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 WebSphere Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 WebLogic Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Replicating the OpenLDAP Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 APPENDIX E Shared Services Backup and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Backing Up Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Files Backed Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Recovering Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Running the Sync OpenLDAP Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 APPENDIX F Sample Configuration XML Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Basic XML Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Extended XML Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 APPENDIX G Troubleshooting the Shared Services Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Shared Services Log Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Debugging Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Shared Services Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Setting Log Levels for the OpenLDAP Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Troubleshooting OpenLDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Utilities for Troubleshooting Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing the CSS.xml File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sync OpenLDAP Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OpenLDAP Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Validating Classpaths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Determining the System Properties in the Java Virtual Machine (JVM) . . . . . . . . . . . . 200 200 201 201 201 201
Accessing the User Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
viii
Contents
Chapter
1
In This Chapter
Oracles Hyperion Shared Services Installation Overview
This chapter introduces Hyperion products and describes the Shared Services components.
Hyperion Shared Services Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Shared Services Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
11
Hyperion Shared Services Introduction

Shared Services functionality is programmed into products, such as Oracles Hyperion Planning System 9 and Oracles Hyperion Financial Management System 9. Shared Services integrates the products to provide these functionalities:

User provisioning External authentication definition Metadata synchronization Data synchronization Task flow management
The Hyperion System 9 Shared Services User Management Guide (on the Oracle E-Delivery site) describes user-provisioning functionality. Chapter 7, About External Authentication and Single Sign-On of this guide describes external authentication configuration. All other Shared Services functionality is described in the administrators and users guides for the products that implement Shared Services. Products that implement Shared Services functionality require access to a Shared Services server running Shared Services client and server software, and to a database dedicated to Shared Services.
Shared Services Components

Shared Services components:

Shared Services Server on page 12 Shared Services Documentation on page 15 Hyperion Security Platform on page 16 Shared Services User Management on page 16
Hyperion License Server and standalone license files are no longer used for license management. Instead, administrators need to audit product use. To ensure compliance with your license agreement, you need to edit a properties file to activate or deactivate features in accordance with what you have purchased. For more information about license compliance, see the Hyperion License Compliance Readme (hyp_license_compliance_readme.pdf ), which you can find on your product DVD or on the Oracle E-Delivery site.
Shared Services Server

The Shared Services server components:

Databases (relational and OpenLDAP) Web application server Hyperion Configuration Utility External Authentication Configuration Console
12
Hyperion Shared Services User Management Console Import/Export Utility
You only need to install the Shared Services server to one computer and does not need to reside on the same computer as products registering with Shared Services. Descriptions of the Shared Services server components follow.
Databases
Shared Services stores its data in two databases:
An OpenLDAP database The OpenLDAP database stores the security-services-related data. Shared Services automatically installs OpenLDAP as a Windows service, configures it, and starts it after installation.
A relational database The relational database stores the event, administrator, and metadata-services-related data. For a list of supported relational databases, see Software Requirements Summary Table on page 23.
For all supported database software, the installation installs the required JDBC drivers. To assist you in getting started quickly, Hyperion provides the MySQL relational database. Because MySQL is not intended to support large user communities in production environments, it is recommended it be deployed only in a test or demonstration environment where a small number of individuals access and use the software. Following Shared Services installation, you must complete the configuration process as specified in Chapter 5, Configuring and Setting Up Shared Services.
Web Application Servers

Shared Services requires one of these Web application servers:

Apache Tomcat BEA WebLogic IBM WebSphere Oracle Application Server
Apache Tomcat
The installation installs and configures Apache Tomcat version 5.0.28 to run with Shared Services.
13
Note: Hyperion provides Apache Tomcat on the installation media for convenience if you want to use it for your deployment. Hyperion does not own or maintain the Apache Tomcat application server and is not responsible for problems you may encounter with its functionality. Hyperion, however, fully supports the use of Apache Tomcat in its products. In deployments where customers require high availability or failover, Hyperion recommends you deploy a commercially supported application server where these capabilities are supported.
BEA WebLogic Application Server

The installation provides support for versions 9.2 and 8.1.4, as follows:

You must install the application server yourself. For 8.1.4, you can deploy the application server using the Hyperion Configuration Utility. Following Shared Services installation, complete the configuration process as specified in Chapter 5, Configuring and Setting Up Shared Services. For 9.2, following installation, you must deploy manually to the application server. See Appendix B, Manual Deployment to WebLogic Application Server.
IBM WebSphere Application Server

The installation provides support for versions 5.1.1.7 and 6.1, as follows:

You must install WebSphere yourself. For 5.1.1.7, you can deploy the application server using the Hyperion Configuration Utility. Following Shared Services installation, complete the configuration process as specified in Chapter 5, Configuring and Setting Up Shared Services. For 6.1, following installation, you must deploy manually to the application server. See Appendix A, Manual Deployment to WebSphere Application Server.
Oracle Application Server 10g

The installation provides support for version 10.1.3.1.0.

You must install the application server yourself. Following installation, you must deploy manually to the application server. See Appendix C, Manual Deployment to Oracle 10g Application Server.
Hyperion Configuration Utility

Each product installs a configuration tool called Hyperion Configuration Utility. You can use the utility to configure products installed on a machine. For complete information, see Chapter 5, Configuring and Setting Up Shared Services.
External Authentication Configuration Console

The External Authentication Configuration Console is a Web-browser interface to Shared Services. External Authentication Configuration Console enables you to manage external authentication outside the context of a particular product or application. See Chapter 10, Configuring External Authentication for Shared Services.
14
User Management Console

The User Management Console is the centralized user interface for these tasks:

Managing projects and applications within projects Provisioning users and groups for applications Managing the Shared Services native directory
The console software is installed with Shared Services server. See the Hyperion System 9 Shared Services User Management Guide.
Import/Export Utility
The Import/Export utility is a standalone command line utility that exports, imports, and validates Shared Services provisioning data. The Import/Export utility includes these components:

Batch file (Windows) or shell file (UNIX) to invoke the operation Properties file to configure the utility XML configuration file CSV data file
For more information and instructions, see the PDF file that is packaged with the utility as part of the Shared Services installation:
<Hyperion_Home>/common/utilities/CSSImportExportUtility
Shared Services Documentation

Hyperion provides the following documentation for Shared Services:
Hyperion System 9 Shared Services Information Map Lists the documentation available for Shared Services and provides links to installed documentation.
Hyperion Installation Start Here Lists high-level tasks for multiple-product installations.
Hyperion Shared Services Readme Contains late-breaking information about Shared Services.
Hyperion Shared Services Installation Guide Describes how to install and configure the Shared Services server and set up external authentication providers for use with Hyperion products.
External Authentication Configuration Console Online Help Describes how to use the External Authentication Configuration Console.
Hyperion System 9 Shared Services User Management Guide Describes how to set up and administer Hyperion users.
15
Hyperion System 9 Shared Services User Management Console Online Help Describes how to use the User Management Console to manage user accounts on Hyperion applications.
All Shared Services documentation is accessible from the following locations:

Oracle E-Delivery Web site (http://edelivery.oracle.com/) Oracle Technology Network (http://www.oracle.com/technology/index.html) The product DVD The Information Map, available from the Shared Services Help menu for all operating systems On Windows, it is also available from the Start menu.
Online help, available from within Shared Services consoles After you log on, you can access online help by clicking Help or selecting the Help menu.
Hyperion Security Platform

The Hyperion security platform is a framework enabling Hyperion applications to use external authentication and single sign-on. External authentication means the user login information needed by Hyperion applications is stored outside the applications in a central authentication directory. Single sign-on is the ability of a user to access multiple Hyperion products after logging on only once. For detailed information about Hyperion security platform, see Chapter 7, About External Authentication and Single Sign-On.
Shared Services User Management

Shared Services user management enables centralized management of Hyperion product users. The user management system enables administrators to group applications into projects, and then provision users and groups with roles and access rights for applications. You can provision users and groups whose accounts are maintained in corporate authentication directories and in the native directory. Each Hyperion product provides product-specific roles, and Shared Services provides system-wide roles. For detailed information about Shared Services user management, see the Hyperion System 9 Shared Services User Management Guide.
16
Chapter
Shared Services Installation Sequence
This chapter provides information about installing, configuring, and setting up Shared Services: High-level task flow identifying basic steps Installation checklist identifying detailed steps for installation and configuration
Step
Instruction Install Hyperion Shared Services and configure the Shared Services application server and RDBMS. Configure Shared Services to authenticate user names that are stored externally in LDAP Active Directory, or Windows NT LAN , Manager, enabling single sign-on. Install Hyperion products. Configure Hyperion products and register them with Shared Services. You can configure multiple products at one time, if they are installed on the same computer. Create projects, add applications to projects, and provision users for applications.
Product Component Shared Services installer Hyperion Configuration Utility
Documentation Shared Services Installation Guide
Shared Services External Authentication Configuration Console
Shared Services Installation Guide
3 4
Hyperion product installers Hyperion Configuration Utility
Product installation guides Product installation guides
Shared Services User Management Console
Shared Services User Management Guide
The detailed checklist below lists the steps required for a successful installation of Shared Services. Chapter numbers refer to the Hyperion Shared Services Installation Guide unless otherwise noted. If you are upgrading, see Upgrading Shared Services on page 32. Before you begin the installation process, ensure you meet the hardware and software system requirements described in Chapter 3, Planning the Shared Services Installation.
17
INSTALL SHARED SERVICES AND CONFIGURE THE SHARED SERVICES APPLICATION SERVER AND RDBMS 1. Ensure the database software you are using for Shared Services is installed and operational. 2. Download Shared Services software and documentation from the Oracle EDelivery site and install Shared Services. 3. Configure the Shared Services application server and RDBMS.
REFERENCE Chapter 4, Installing and Upgrading Shared Services
Chapter 5, Configuring and Setting Up Shared Services REFERENCE Chapter 9, Using NT LAN Manager for External Authentication
CONFIGURE THE SHARED SERVICES EXTERNAL AUTHENTICATION PROVIDER 1. If enabling one or more Hyperion applications to use external authentication of users in a Windows NT LAN Manager (NTLM) domain, set up the environment and user rights for NTLM support. 2. Ensure Shared Services server is running. 3. Using Shared Services, configure the External Authentication Provider to use:

Chapter 10, Configuring External Authentication for Shared Services
Windows NT LAN Manager (NTLM) Lightweight Directory Access Protocol (LDAP) Microsoft Active Directory (MSAD)
Shared Services writes your configuration information to a central XML-based security configuration file that is generated by Shared Services. Hyperion products reference the security configuration file for single sign-on of external and remote users. 4. Optionally, set up the environment for Netegrity Single Sign-On, configure Shared Services to use Single Socket Layers, and install the Hyperion Remote Authentication Module. Chapter 10, Configuring External Authentication for Shared Services Chapter 11, Using the Hyperion Remote Authentication Module
18
INSTALL HYPERION PRODUCTS Download Hyperion software and documentation from the Oracle E-Delivery site and install Hyperion products.
REFERENCE Hyperion Product Installation Guide
CONFIGURE HYPERION PRODUCTS Activate and configure Hyperion products and register them with Shared Services using Hyperion Configuration Utility:

REFERENCE Hyperion Product Installation Guide
Specify the Shared Services server location. Configure relational databases and repositories for your product. Autodeploy products to application servers (recommended), or select the Manual Deployment option to configure the deployment manually. Create a properties file for your product.
Note: Shared Services server must be running before you can perform this task.
ASSIGN ROLES FOR SHARED SERVICES USER MANAGEMENT AND PROVISION USERS A Shared Services administrator must perform the following tasks:
REFERENCE Hyperion Shared Services User Management Guide
Assign the Project Manager role to users who are responsible for creating projects and assigning applications to projects. For each application, assign the Provisioning Manger role to users who are responsible for assigning roles and access control permissions to users of the application. Assign the Directory Manager role to users who are responsible for managing the native Shared Services directory.
Project Managers can create projects and add applications to projects as necessary. Provisioning Managers for each application can provision users and groups (assign roles and access control permissions) for their applications.
19
20
Chapter
Planning the Shared Services Installation
This chapter contains requirements for a representative deployment (up to 150 total users, 3040 concurrent users, one Shared Services application) and does not contain sizing guidelines. For information on sizing guidelines, see to the Hyperion Business Performance Management Deployment Guide located on the product page on the Oracle E-Delivery site. For larger deployments, Hyperion highly recommends you call Hyperion Consulting Services to determine the correct number of servers for your environment. This chapter details the hardware and operating system requirements, software and browser requirements, and prerequisites. It also explains how to plan for clustering of Shared Services and Shared Services backup and recovery.
In This Chapter
Hardware Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Installation Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Port Numbers Used By Hyperion Products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Setting Up Shared Services on Multiple Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 OpenLDAP Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Shared Services Backup and Recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Sample Shared Services Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
21
Hardware Requirements
Relational Database Hardware Requirements
Shared Services relational database hardware requirements:
Database Server Component Microprocessor Memory Disk spacegeneral guidelines Hardware Requirements Intel Pentium III or later 256 MB, 512 recommended (For optimal performance, see the vendor documentation.)

Small application10-20 MB Medium application50-60 MB Large application100-200 MB
Shared Services Server Requirements

Shared Services server requirements:
Web Server Component Microprocessor Memory Disk space Hardware Requirements Intel Pentium II 300 Mhz (Pentium III or later, 450 Mhz recommended); dual processor required 256 MB minimum with 1.5 GB available 300 MB for full installation
Note: This estimate includes the disk space required for the temporary JAR files extracted during installation.
Software Requirements
The following topics outline software requirements and browser settings for Shared Services:

Shared Services Component Software Requirements on page 23 Browser Settings on page 23 Software Requirements Summary Table on page 23
22
Shared Services Component Software Requirements

Shared Services component software requirements:
Application Component Shared Services 9.2.1 server Java application server Software Requirements Software files supplied during Shared Services 9.2.1 installation

IBM WebSphere 5.1.1.7 and 6.11 BEA WebLogic 8.1.4 and 9.22 Apache Tomcat 5.0.28 (provided by Shared Services installation) Oracle 10g Release 3 (10.1.3.1.0)3 Hyperion JDBC DataDirect 3.6 build 24 (provided by Shared Services installation) Hyperion JDBC MySQL 3.0.8
JDBC (Java database connectivity) driver
1 WebSphere 6.1 is supported only via full manual deployment. For instructions, see Appendix A, Manual Deployment to WebSphere Application Server. 2 WebLogic 9.2 is supported only via full manual deployment. For instructions, see Appendix B, Manual Deployment to WebLogic Application Server. 3 Oracle 10.1.3.1.0 is supported only via full manual deployment. For instructions, see Appendix C, Manual Deployment to Oracle 10g Application Server.
Browser Settings
Browser Microsoft Internet Explorer Firefox Supported Versions 6.0 and 7.0 2.0.0.3
Ensure that default browser preferences and options are enabled:

Enable JavaScript Enable cookies (Preferred setting is to enable cookies to be stored on your computer. Minimum requirement is for each session level cookies set.)
Software Requirements Summary Table

Shared Services server operating system requirements:
23
Operating System Windows
Supported Versions

Windows Server 2000 (SP4) Windows Server 2003 (SP1 and R2) Windows 2003 SP1 Windows 2000 Professional (client) Windows XP Professional (client) Windows Vista (Home series and above) Solaris 9, 10 HP-UX 11.11 HP-UX 11.23 AIX 5.2 ML3 AIX 5.3 ML8 Redhat Linux AS 4.0
Sun Solaris 9, 10 HP-UX
AIX (required for the Shared Services OpenLDAP database) Redhat Linux
Shared Services software requirements:

Component Relational databases Software Requirements
MySQL:

4.0.12 4.0.23 for 64-bit processors 9i - 9.2.0.5 10g - 10.1.0.5 10g - 10.2.0.2 11g Beta 8.2 (8.1 FP7) 9.1 2000 Service Pack 3a 2005 SP1
Oracle:

IBM DB2:

Microsoft SQL Server:

Application servers
IBM WebSphere:

5.1.1.7 6.1 8.1.4 9.2 10g - 10.1.3.1.0 5.0.28 (Does not support DB2 RDBMS.)
BEA WebLogic:

Oracle:
Apache Tomcat:
24
Component JDBC drivers

SQLHyperion JDBC driver OracleHyperion JDBC driver DB2Hyperion JDBC driver Hyperion MySQL connect driver Microsoft Internet Explorer 6.0 and 7.0 Firefox 2.0.0.3 LDAP:

Browsers
Authentication Providers1
Sun One 5.2 Patch 4 Novell eDirectory 8.8 IBM Directory Server 5.1 Domino 6.0
NTLan Manager (NTLM) on 2000 and 2003 Microsoft Active Directory (MSAD) 2000 and 2003 Netegrity Siteminder 5.5 (SP2) OpenLDAP 2.3.37 (provided by Shared Services installation and automatically configured)
1 Requires installation of Hyperion Remote Authentication Module for UNIX authentication against NTLM. See Chapter 11, Using the Hyperion Remote Authentication Module.
Installation Prerequisites
Before installing Shared Services, meet these prerequisites:
To use Shared Services with a database other than MySQL, you must create a database and a user before installing Shared Services. Assign the appropriate rights to the user (see Prerequisites on page 42). For a list of supported databases, see Software Requirements on page 22. If Shared Services is being installed against an IBM DB2 database, increase the applheapsz DB2 configuration parameter to 4000. Use the following command to do this:
update db cfg for HUB_DB_NAME using applheapsz 4000
You must restart the IBM DB2 instance for this parameter to take effect.
To use Shared Services with an Oracle relational database, these privileges are the minimum required for the Shared Services Oracle database user:

CONNECT RESOURCE CREATE
Installation Prerequisites
25
CREATE TRIGGER, DROP TRIGGER AND MODIFY TRIGGER
For UNIX systems, do not run an OpenLDAP database on a Network File System (NFS) mounted protocol. To deploy Shared Services on an application server other than Apache Tomcat, you must install the application server and then install Shared Services. For a list of supported application servers, see Software Requirements on page 22. If you plan to deploy Shared Services on a BEA WebLogic application server, note these requirements:
Shared Services cannot be installed to directories with names containing spaces; for example, c:\Program Files. Shared Services cannot be automatically deployed to BEA WebLogic if WebLogic application server is not installed in BEA_HOME. If BEA WebLogic application server is installed outside BEA_HOME, the autodeployment process for Shared Services does not execute correctly. If you install in such an environment, use the manual deployment option to create the necessary Web archive and use the WebLogic application deployment tool to deploy the application to the required instance.
The auto-deployment process for Shared Services does not update the startup scripts for WebLogic to execute as a service. After installation, you must update the installSvc.cmd file with WLS_USER and WLS_PW (user and password) to run WebLogic as a service.
If you plan to deploy Shared Services on an IBM WebSphere application server, note these requirements:
You must install Shared Services on the computer hosting the IBM WebSphere application server. Shared Services cannot be installed to directories with names containing spaces; for example, c:\Program Files. On UNIX platforms, if you are using the IBM WebSphere application server, ensure you use the same account to install, deploy, and execute Hyperion products used to install WebSphere. Using one account ensures Hyperion Configuration Utility can successfully deploy Hyperion products to WebSphere.
Be aware of port usage so you can resolve port conflicts during configuration. See Port Numbers Used By Hyperion Products on page 27.
26
Port Numbers Used By Hyperion Products

During Hyperion product installation, the default port number for application servers is automatically populated and can be changed during the configuration process. For instructions to modify default ports after installation, see Deploying Shared Services to an Application Server on page 47. Each application port number must be unique. After modifying the default port number, if your application does not launch, or if an error message is displayed similar to port already in use or bind error, there may be a port number conflict. If you do not change the default port number, the software is configured with these values:
Hyperion Product Shared Services Application Builder J2EE Application Builder.NET Oracles Essbase Administration Services Analytic High Availability Services Planning Hyperion Translation Manager Oracles Hyperion Financial Reporting System 9 Oracles Hyperion Web Analysis System 9 Oracles Hyperion Business Modeling Oracles Hyperion Performance Scorecard System 9 Oracles Hyperion Performance Scorecard System 9 Alerting Enterprise Metrics
Listen Port 58080 21080 22080 10080 11080 8300 14080 8200
SSL Listen Port 58090 21090 22082 10090 11090 8300 14090
Shutdown Port for Apache Tomcat 58005 21005 22081 10005 11005 8301 14005 8201
16000
16001
17080 18080
17090 18090
17005 18005
18081
18091
18006
8180
8280 8205
8105
Essbase Smart View Provider Oracles Hyperion Workspace
13080 19000
13090
13005 45001
Port Numbers Used By Hyperion Products
27
Default Port Numbers for Remote Method Invocation (RMI) Servers

Hyperion Component Hyperion Remote Authentication Module Financial Reporting Planning Strategic Finance Hyperion Performance Suite Legacy Hyperion Performance Suite GSM Hyperion Performance Suite Services OpenLDAP RMI Port 58000 1099 11333 1493 and 1495 1494 - 1498 1800 1801-1803 58081
Setting Up Shared Services on Multiple Servers

Shared Services enables you to horizontally scale an application; thus, you can use multiple servers for one application. This improves performance and provides fail-over capability for Shared Services. For complete information, see Setting Up Shared Services Using Clustering on page 163.
OpenLDAP Replication
Load balancing and failover is also necessary in the OpenLDAP environment. For detailed information, see Replicating the OpenLDAP Environment on page 183.
Shared Services Backup and Recovery

To ensure that Shared Services can recover from catastrophic failure, the Shared Services installation provides scripts that perform the backup and recovery process for you. For detailed information, see Shared Services Backup and Recovery on page 187.
Sample Shared Services Deployment Scenarios

This section describes some sample deployment scenarios for Shared Services:

Standard Shared Services Configuration on page 29 Shared Services with Replicated Databases on page 29 Sample Configuration of Clustered Shared Services with Replicated Databases on page 30
28
Standard Shared Services Configuration

This deployment scenario depicts the default configuration of Shared Services, with one instance of Shared Services Web application, one instance of the OpenLDAP database, and one instance of a relational database. In this scenario there is no support for failover or load balancing.
Shared Services with Replicated Databases

This deployment scenario depicts a configuration with failover support for the database but Shared Services is only deployed on one application. This configuration works for deployments where the authentication to Hyperion products is extremely critical and needs failover support, but Shared Services features such as user provisioning, metadata synchronization, and task flow management do not need failover support. The relational database replication/failover is vendor-specific. Shared Services provides the ability to replicate OpenLDAP and configure it to support failover. See Appendix E, Shared Services Backup and Recovery.
Note: There is no load balancing support for OpenLDAP.
This figure depicts a standard deployment of Shared Services with replicated databases:
Sample Shared Services Deployment Scenarios
29
Sample Configuration of Clustered Shared Services with Replicated Databases

This deployment scenario depicts a configuration where failover support is available across all Shared Services components. Clustering provides failover and load balancing support for the Shared Services Web application. Shared Services can be clustered through a software load balancer on WebSphere and WebLogic application servers or on other application servers using a hardware load balancer. For information about clustering, see Appendix D, Setting Up Shared Services Using Clustering. The relational database replication/failover is vendor-specific. Shared Services provides the ability to replicate OpenLDAP and configure it to support failover. See Appendix E, Shared Services Backup and Recovery.
Note: There is no load balancing support for OpenLDAP.
This figure depicts a sample cluster deployment of Shared Services:
30
Chapter
4
In This Chapter
Installing and Upgrading Shared Services
This chapter explains how to install Shared Services and describes what happens during installation.
Upgrading Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Launching Installers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Running the Installation Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 What Happens During Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Files Installed in the HSS_HOME Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Installing JDK on AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 About Hyperion Home . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Running Silent Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Postinstallation Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
31
Upgrading Shared Services

These topics document the process for upgrading from a previous release of Shared Services to this release. THe following upgrade paths are supported:

9.2.0.x to 9.2.1 9.0.x to 9.2.1 7.2.5.2 to 9.2.1
To upgrade to this release of Shared Services from one of the releases mentioned above:
1 Verify that all preparation tasks are complete and all system requirements are met.
See Chapter 3, Planning the Shared Services Installation.
2 Stop all activities and processes connected to Shared Services, including the application server, the OpenLDAP
database, and all servers related to Shared Services.
Note: You do not need to uninstall the previous release of Shared Services or stop the relational database.
To stop Shared Services manually, execute the stop script. See Stopping Shared Services on page 52.
3 If the previous installation of Shared Services was a manual deployment, search on your system for the
external authentication configuration file (CSS.xml), and manually back it up.
4 Install this release of Shared Services over the existing installation. You must install the Shared Services files
to the previous installation directory.
See Launching Installers on page 33 and Running the Installation Wizard on page 33. Do not start Shared Services.
5 If you are upgrading from 9.0.x or from 7.2.5.2, and you previously deployed Shared Services to Apache
Tomcat as a Windows service, remove the Windows service before configuring the Shared Services application server.
To remove the Tomcat Windows service, from a command line, change to:
For 9.0.x:
<HSS_HOME>\AppServer\InstalledApps\Tomcat\5.0.28\ SharedServices9\bin
For 7.2.5.2:
\Hyperion\HyperionHub\7.2.1\deployments\Tomcat\4.1.30
Then type:
removeService.bat
6 Using Hyperion Configuration Utility, configure the Shared Services application server, RDBMS, and mail server.
You must select the option to re-use the existing database.
See Chapter 3, Configuring Shared Services.
7 Start Shared Services.
32
Note: You must ensure Shared Services is started before configuring other Hyperion products. If you upgrade Shared Services but do not upgrade other Hyperion products, you must reregister the other products with Shared Services using Hyperion Configuration Utility. For instructions, see the product installation guide.
8 If you are upgrading from 7.2.5.2, ensure the following tags are added to the external authentication
configuration file (CSS.xml):
a. The <hub> tag with a URL for the hostname. For example,
- <hub location="http://MCOHEN2:58080"> <dirPort>58089</dirPort> </hub>
b. The <native> tag with Native Directory specified. For example,

- <spi> - <provider> <native name="Native Directory" /> </provider> </spi>
Launching Installers
To launch the Shared Services installer from a self-extracting download file from Oracle EDelivery site:
1 Download the installer from Oracle's E-Delivery Web site.

See the Media Pack Readme for information about which files to download.
2 Extract the files from the ZIP file.

After extraction, the installation directory should include the following files:

setup.exe (Windows) or setup.bin (UNIX) setup.jar (Windows or UNIX)
3 Run the install setup program:

Windowssetup.exe UNIXsetup.bin
Note: If you cannot execute setup.bin, use chmod to add execute privilege.
Running the Installation Wizard

This procedure describes using the installation wizard to install Shared Services.
To install Shared Services:

1 Verify that all prerequisites and system requirements are met.
Running the Installation Wizard
33
See Planning the Shared Services Installation on page 21.
2 Download and launch the Shared Services installer program.

See Launching Installers on page 33 for instructions.
3 Follow the installation prompts, keeping in mind this information:
If the installation wizard detects a previous installation of Shared Services, you must install the Shared Services files to the same directory as the previous installation. If this is a new installation (no previous installation of Shared Services is detected), you can specify the directory in which to install the Shared Services files. Restrictions for this field:
You can enter only English alphanumeric characters and these special characters: dash ( - ), underscore ( _ ), plus sign ( + ), backslash ( \ ), forward slash ( / ), dot (.), colon ( : ) The colon character ( : ) is supported only for Windows platforms to specify the drive (for example, c:\).
If you are deploying Shared Services on a WebLogic or WebSphere application server, Shared Services cannot be installed to a directory whose name contains a space; for example, c:\Program Files.
By default, the wizard installs Shared Services in one of these directories:

Windowsc:\Hyperion\SharedServices\<releaseNumber> UNIX/home/username/Hyperion/SharedServices/<releaseNumber>
Hyperion common components are installed to a different directory than the Shared Services software. Common components are installed to a location called Hyperion Home (HYPERION_HOME\common). For more information, see About Hyperion Home on page 36. Restrictions for this field:
You can enter only English alphanumeric characters and these special characters: dash ( - ), underscore ( _ ), plus sign ( + ), backslash ( \ ), forward slash ( / ), dot (.), colon ( : ) The colon character ( : ) is supported only for Windows platforms to specify the drive (for example, c:\).
The Hyperion Home location cannot be a directory whose name contains a space; for example, c:\Program Files.
Note: On UNIX platforms, if the HYPERION_HOME directory is mounted on a Network File System (NFS) so that one HYPERION_HOME location is visible across multiple computers, Shared Services can only be installed to one computer. If you try to install Shared Services to another computer, the previous installation is detected.
In addition to the Shared Services files, the wizard installs shared components, such as Java Development Kit (JDK) files, Hyperion External Authentication Module files, and so on.
34
Note: For AIX, the Shared Services installer does not perform a full installation of JDK. For information about installing JDK on AIX, see Installing JDK on AIX on page 36.
After installation is complete, the installation wizard prompts you to launch Hyperion Configuration Utility, which enables you to perform key product activation and configuration tasks. See Postinstallation Tasks on page 40.
What Happens During Installation

During installation, the Shared Services installer program performs the following operations:
Creates directories and subdirectories under the location specified during installation In documentation, the directory Shared Services is installed is referred to as HSS_HOME. For a list of the Shared Services directories created during installation, see Files Installed in the HSS_HOME Directory on page 35.
Installs Hyperion common components to HYPERION_HOME\common For information about HYPERION_HOME and a list of directories created, see About Hyperion Home on page 36. After HYPERION_HOME is defined, you can run a migration utility to change its location. The Hyperion Home Migration Utility is provided with the Shared Services installation. See About Hyperion Home on page 36.
A typical installation installs these Shared Services components:

MySQL database Shared Services server Shared Services documentation
A custom installation installs only the components you choose.
On Windows, creates these manual services:

Open LDAP service: Hyperion SharedServices9 OpenLDAP MySQL service: Hyperion-MySQL-4.0.12
On UNIX, creates and starts a MySQL process. Installs documentation files to HSS_HOME\docs on the Shared Services computer See Shared Services Documentation on page 15.
On Windows, adds shortcuts to the Start menu Installs an uninstaller in HSS_HOME\uninstall See Chapter 6, Uninstalling Shared Services and Hyperion Hub.
Files Installed in the HSS_HOME Directory

The directory where you install Shared Services is referred to as the HSS_HOME directory, by default:
Files Installed in the HSS_HOME Directory
35
Windowsc:\Hyperion\SharedServices\<releaseNumber> UNIX/home/username/Hyperion/SharedServices/<releaseNumber>
Directories created for typical installations:

Directory Contents
\AppServer
\InstallableAppsfiles required by the Configuration Utility for autodeployment \InstalledAppsfiles/directories created by Hyperion Configuration Utility during auto-deployment
\client \docs \openLDAP \server \uninstall
Java APIs for applications to use Shared Services functionality Shared Services documentation files OpenLDAP database files Shared Services executable files, default relational database files, Java class files, and server locale files Files for uninstalling Shared Services
Installing JDK on AIX

For AIX, the Shared Services installer does not perform a full installation of the Java Developer Kit (JDK). Instead, the files required for you to install the JDK are placed in the $HYPERION_HOME/common/JDK/IBM/1.4.2 directory. The files are:

fixes.html java14.license java14.sdk sdkguide.aix32.htm
See sdkguide.aix32.htm for instructions on installing the JDK.
About Hyperion Home

When multiple Hyperion products are installed on one computer, common internal and thirdparty components used by the products are installed to a central location, called Hyperion Home. On Windows, the Hyperion Home location is defined in the system environment variable called HYPERION_HOME. On UNIX, the Hyperion Home value is stored in .hyperion.<hostname> in the /home directory.
Note: Hyperion recommends all Hyperion applications be installed as one user on UNIX platforms. All Hyperion products install common third-party and internal components under HYPERION_HOME. To ensure installers have the permissions required to modify the HYPERION_HOME location on UNIX platforms; Hyperion recommends all Hyperion applications be installed under one HYPERION user account on UNIX platforms.
36
Hyperion Home Location

The Shared Services installer prompts you to define the location for Hyperion Home. The default location is C:\Hyperion for Windows and $HOME/Hyperion for UNIX. The installer searches for the HYPERION_HOME environment variable on the computer to which you are installing. If the location was previously defined for another Hyperion product, the installation uses that location and the Hyperion Home location cannot be changed through the installer. If this is the first Hyperion installation on the computer, and you have not specified the location for Hyperion Home, you can specify the location during installation. Do not choose a HYPERION_HOME location containing a space character. For example, C:\Program Files.
Note: On UNIX platforms, if the HYPERION_HOME directory is mounted on a Network File System (NFS) so that one HYPERION_HOME location is visible across multiple computers, Shared Services can only be installed to one computer. If you try to install Shared Services to another computer, the previous installation is detected.
Files Installed in the HYPERION_HOME Directory

The following table lists the files that are installed in the HYPERION_HOME\common directory by a default installation of Shared Services. Some common components are optional and may not be installed.
Table 1
Directories Created in the HYPERION_HOME\common Directory Description Contains application server files Contains Configuration Utility files Contains files to support Hyperion external authentication Contains relational database management system (DBMS) files Contains installer user interface files Contains Java Cryptography Extension (JCE) files for encryption, key generation and key agreement, and Message Authentication Code (MAC) Contains Java Database Connectivity (JDBC) files Contains Java Development Kit (JDK) files Contains files for external authentication logging Contains one of the utilities needed to change the location of Hyperion Home For more information, see Changing the Hyperion Home Location on page 38.
Directory
appServers config CSS DBMS HyperionLookAndFeel JCE JDBC JDK loggers utilities
XML
Contains common XML components
About Hyperion Home
37
Changing the Hyperion Home Location

After Hyperion Home is defined through the product installation, you must run a migration utility to change the Hyperion Home location. The utility moves the files installed in Hyperion Home to the new location and replaces the value of the current HYPERION_HOME environment variable. The Hyperion Home Migration Utility is provided with the Shared Services installation.
Note: For an Apache Tomcat 5.0.28 Windows installation, you can choose to install the Shared Services server as a Windows service. If you select this option, the Shared Services server is launched automatically by the service and runs in the background. However, if you migrate HYPERION_HOME to another location after installing Shared Services, the Windows service does not automatically start. This occurs because the registry entries for the Windows service still retain the old path information. If this occurs, you must manually update the location of the Windows service after you migrate HYPERION_HOME.
To change the Hyperion Home location:

1 Launch the migration utility:
On Windows, choose a method:
Double-click the run.exe file from:

%HYPERION_HOME%\common\utilities\HyperionHomeTool\1.0.1\bin
From a Windows console, change to this directory:

%HYPERION_HOME%\common\utilities\HyperionHomeTool\1.0.1\bin
Then type:
run.exe -console
On UNIX, choose a method:
In XWindows, change to this directory:

$HYPERION_HOME/common/utilities/HyperionHomeTool/1.0.1/bin
Then type:
migrationtool.sh
In a UNIX console, change to this directory:

$HYPERION_HOME/common/utilities/HyperionHomeTool/1.0.1/bin
Then type:
migrationtool.sh -console
The migration utility is launched.
2 Step through the screens, and when prompted, enter the Hyperion Home location or click Browse to
navigate to the desired location.
Do not choose a HYPERION_HOME location containing a space character. For example, C:\Program Files. The migration utility copies the entire Hyperion Home directory to the new location and replaces the value of the current HYPERION_HOME environment variable.
38
For Windows, the Hyperion Home Migration Utility updates the environment variable. For UNIX, the utility updates the .hyperion.<HOSTNAME> file in the home directory containing the environment variable. Login initialization files, such as .profile and .login are not updated on UNIX systems.
Running Silent Installations

To install Shared Services on multiple computers using the same installation options, you can record your installation settings and run a silent installation from the command line. Silent installations automate the installation process so you can install Shared Services without specifying installation settings each time. To record your installation settings, you create a response file and run the regular installation to record your settings in the response file. Then, when you run the silent installation from the command line, the response file is used to set the same installation options as the regular (nonsilent) installation.
To record installation settings and run a silent installation:

1 Navigate to the directory containing the product installer. 2 From a command line, run one of these commands:
Windows
setup.exe -options-record responsefilename
For console mode:

setup.exe -console -options-record responsefilename
AIX, Solaris, HP-UX, and Linux
setup.bin -options-record responsefilename
For console mode:

setup.bin -console -options-record responsefilename
The responsefilename can include an absolute path or filename.
3 The regular (nonsilent) product installer is launched. 4 As you step through the installer, specify the settings to use.
The installation options are recorded in the response file. You can modify the response file to change installation options. You are now ready to run the installation in silent mode.
5 From the command line, enter one of these commands:

Windows AIX, Solaris, HP-UX, and Linux
setup.exe -options <responsefilename> -silent setup.bin -options <responsefilename> -silent
The installation runs in the background.
Running Silent Installations
39
Postinstallation Tasks
After installation is complete, the installation wizard prompts you to launch Hyperion Configuration Utility. Hyperion Configuration Utility is a common tool that guides you through a series of pages to perform these Shared Services configuration tasks:

Configuring a relational database for Shared Services Configuring a mail server for Shared Services Deploying Shared Services on an application server
For detailed information about launching and running Hyperion Configuration Utility, see Chapter 5, Configuring and Setting Up Shared Services.
40
Chapter
Configuring and Setting Up Shared Services
This chapter describes how to configure Shared Services using Hyperion Configuration Utility. It provides instructions for configuring relational databases, deploying to an application server, and configuring the mail server. It also describes how to start and stop the Shared Services server.
In This Chapter
Hyperion Configuration Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Task Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Configuring Product Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Launching the Configuration Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Configuring Relational Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Configuring the Mail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Deploying Shared Services to an Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Postconfiguration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Verifying Successful Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Configuration Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
41
Hyperion Configuration Utility

The Configuration Utility is a common tool used to configure installed Hyperion products. It is installed with the first product installed on a machine, and you can use it to configure all products that are installed on that machine. Use the Configuration Utility to configure Shared Services first, separately from other products. Then use it to configure other products that are installed on a machine. The Configuration Utility should be used on each machine to which a product is installed. The Configuration Utility provides these configuration tasks for Shared Services:
Relational Storage ConfigurationRequired to use a database to store and retrieve Shared Services data. See Configuring Relational Storage on page 44. Configure Mail ServerRequired if you are using task automation notifications. See Configuring the Mail Server on page 46. Application Server DeploymentRequired to deploy Shared Services to an application server. See Deploying Shared Services to an Application Server on page 47.
You can reconfigure Shared Services after the initial configuration, following the same procedures.
Note: You must configure Shared Services before configuring other Hyperion products installed on the same machine or on other machines. You do not need to install Shared Services on each machine where a product is installed.
When using the Configuration Utility to configure other Hyperion products, you are given the option to register products with Shared Services. Registering products is a required step before you can use Shared Services functionality. See the product installation guide.
Prerequisites
Complete these tasks before using the Configuration Utility:
Install the Shared Services server, but do not start it. It should be stopped during configuration. Install the application server that you plan to use. Prepare a database to use for relational storage. The database user that you specify during configuration should have the following user rights for the database: inserting seeded data and creating, deleting, and updating tables. See also Installation Prerequisites on page 25.
42
Task Sequence
When performing multiple configuration tasks in one session, the Configuration Utility orders the tasks appropriately. If you use the Configuration Utility to perform tasks individually, follow this order:

Application server deployment Mail server configuration Database configuration
Configuring Product Upgrades

Use the Configuration Utility to configure Shared Services when it is upgraded from a previous release (for example, 9.0.0). The Configuration Utility determines whether the Shared Services installation is new or upgraded. The product selection page indicates whether Shared Services was specified as an upgrade during the Shared Services installation process. All configuration tasks are available for upgraded products; however, if an upgraded product is configured for a relational database, the database configuration page is read-only except for the password. If you are upgrading Shared Services and products, upgrade Shared Services first, separately from other products.
Note: The Configuration Utility is backward compatible with previous releases (9.0.x and higher) and can be used to configure Shared Services for those releases.
Launching the Configuration Utility

You must run the Configuration Utility on each machine to which a product is installed. The utility can be launched from a product installer or independently.
Note: Before beginning configuration on UNIX platforms, set the number of operating system file descriptors to at least 1024 to avoid possible issues with application server deployment. See your operating system documentation for information on using the Limit command to increase this setting.
To launch the Configuration Utility:

1 Choose a method:
On the last page of the Shared Services installer, select the option to launch the Configuration Utility. On Windows, choose a method:
From Start, select Programs > Hyperion > Foundation Services > Configuration Utility. Double-click the configtool.bat file from:
%HYPERION_HOME%\common\config\
Launching the Configuration Utility
43
From a Windows console, change to this directory:

%HYPERION_HOME%\common\config\
Then type:
startconfigtool.bat -console
On UNIX, choose a method:
In XWindows, change to this directory:

$HYPERION_HOME/common/config/
Then type:
configtool.sh
In a UNIX console, change to this directory:

$HYPERION_HOME/common/config/
Then type:
configtool.sh -console Note: If you are running the Configuration Utility in console mode, follow the command-line prompts.
2 On the welcome page, click Next. 3 From the list of installed products, select Shared Services and click Next.
A list of configuration tasks is displayed.
4 Follow the instructions for configuration tasks, as appropriate:

Configuring Relational Storage on page 44 Configuring the Mail Server on page 46 Deploying Shared Services to an Application Server on page 47
Note: You can select multiple tasks in one session. For Shared Services, Hyperion recommends you deploy the relational database and the application server together. However, if you decide to deploy them separately, deploy the application server first and then the relational database.
Configuring Relational Storage

When you configure Shared Services to use a database, the Configuration Utility checks for connectivity to the database and ensures that the database is a supported database type. If an existing database is detected, you may be prompted to re-use the database or create a new one. For a list of supported databases for this release, see Software Requirements on page 22. For database prerequisites, see Prerequisites on page 42.
Note: A MySQL database is installed automatically with Shared Services. During configuration, you can specify the database name, username, and password to use.
44
To configure a database:
1 Launch the Configuration Utility.
See Launching the Configuration Utility on page 43.
2 From the list of installed products, select Shared Services and click Next. 3 On the task selection page, select Relational Storage Configuration and click Next. 4 From the list of supported databases, select the database and click Next.
The relational storage configuration details page is displayed.
Note: If you are configuring a product upgrade, the fields on this page are read-only except for the password.
5 Specify database information:

Table 2
Database Configuration Fields Enter the computer name of the server hosting the database. Specify the server port number on which the database listens, or accept the default port:

Server Port
DB250000 Oracle1521 SQL Server1433 MySQL3306
Product Database or SID (Oracle only)
Displays the name of each product being configured and its install location. This field cannot be changed. Enter the database name or the Oracle System Identification (database instance). You can enter only English alphanumeric characters and the dash character (-). Enter the name of the database owner. Enter the password of the database owner.
Username Password
6 Click Next. 7 If a database is detected, select one of the following options:

Drop all tables and create a new repository Reuse the existing repository (select this option if upgrading)
Note: If a database is detected, after running the Configuration Utility, Hyperion requires that you run the Sync OpenLDAP Utility to synchronize the differences between the relational repository and the OpenLDAP database. Selecting these database options does not synchronize the data automatically. For instructions, see Sync OpenLDAP Utility on page 201.
8 Click Next to go to the next configuration task or to finish.
Configuring Relational Storage
45
Changing the Database Password

To change the password for the database owner (as specified during configuration):
1 Change the users password externally in the database.
Note: For MySQL, you do not have to change the password in the database; you can change it using only the Configuration Utility.
2 Stop the Shared Services server.

See Stopping Shared Services on page 52.

4 From the list of installed products, select Shared Services and click Next. 5 On the task selection page, select Relational Storage Configuration and click Next. 6 From the list of supported databases, select the database and click Next.
The relational storage configuration details page is displayed.
7 For Password, enter the new password for the user.

Note: If you also change the username to a different database owner, data is not migrated with the new user.
8 Click Next. 9 At the prompt to create a new repository or to reuse the existing repository, select Reuse the existing
repository.
10 Select Next and then Finish.

The Configuration Utility updates the appropriate configuration files with the new password.
11 Start the Shared Services server.

See Starting Shared Services on page 50.
Configuring the Mail Server

You must configure the mail server if you plan to use the Shared Services taskflow management system to manage tasks.
Note: The manage tasks functionality is described in the administrators and users guides for the products that support the Shared Services taskflow management system.
Shared Services requires you to configure the mail server setting by identifying the Simple Mail Transfer Protocol (SMTP) server.
46
To configure the mail server:

1 For SMTP Mail Server, enter the name of the SMTP mail server.
For example, on UNIX-based systems, sendmail might be the SMTP server for e-mail. On Windows systems, Exchange might be the mail server. Other common mail server programs are qmail and Exim.
2 Click Next to go to the next configuration tasks or to exit.
Deploying Shared Services to an Application Server

The Configuration Utility enables you to deploy Shared Services to an application server that is installed on the Shared Services machine. To view the list of supported application servers for this release, see Software Requirements on page 22.
Caution! On UNIX platforms, if you are using IBM WebSphere application server, use the same account
to install, deploy, and execute Hyperion products that you use to install WebSphere. Using the same account ensures that products are deployed successfully.
To deploy Shared Services to an application server:

2 From the list of installed products, select Shared Services and click Next. 3 On the task selection page, select Application Server Deployment and click Next. 4 From the list of supported application servers, select the application server and click Next.
A page is displayed that is specific to the selected application server.
5 Specify application server information:
Deploying Shared Services to an Application Server
47
Table 3
Application Server Configuration Fields Enter the path to the application server directory, or browse to the directory. For example:
Location
For WebSphere Base

c:\WebSphere\AppServer on Windows
or
/opt/WebSphere/AppServer on UNIX
For WebSphere Express

c:\IBM\WebSphere\Express51\AppServer on Windows
or
/opt/IBM/WebSphere/Express51/AppServer on UNIX
For WebLogic
c:\bea\weblogic81 on Windows
or
/opt/bea/weblogic81 on UNIX
For WebSphere, the Configuration Utility verifies that the specified WebSphere directory and the WebSphere temporary directory are set with Write permission. Write permission must be assigned before running the Configuration Utility.
BEA Home (WebLogic only)
For WebLogic, enter the path to the BEA Home directory (for example, c:\bea), or browse to and select the location. Enter your WebLogic username and password. Select this checkbox if you want to deploy as a manual Windows service. In the Windows service control panel, the service name is listed as:
Hyperion <Product> <AppServer><Version#>
Username and Password (WebLogic only) Deploy as service
For example:
Hyperion SharedServices9 WAS51
Manual Deployment
Select this checkbox to manually deploy to the application server. The Configuration Utility creates the necessary Web archives (EAR or WAR) to enable manual deployment at a future time. For more information, see the appendix for the application server you are using. Displays the name of each product or component being configured. This field cannot be changed. For example, if you are configuring Hyperion Reporting and Analysis, Intelligence and Web Analysis components may appear in this column. For products such as Essbase Administration Services, the product name appears as the component. Enter the name of the server where you can access the deployed product. You can enter only English alphanumeric characters and the dash character (-).
Component
ServerName
48
Table 3
Application Server Configuration Fields If you want to change the default port number that was set during installation, specify a different port number here. Otherwise, accept the default port number. The port number must not exceed 65535.
Port
Hyperion recommends using a port number greater than 1025 to avoid conflicts with third-party port assignments.
Each application port number must be unique. For a list of default port numbers, see Port Numbers Used By Hyperion Products on page 27. Domain (WebLogic only) Enter the name of the domain where you can access the deployed product. You can enter only English alphanumeric characters.
Note: For all application servers, if you chose to deploy automatically rather than manually, the Configuration Utility checks server disk space when starting deployment to ensure that the size of the EAR or WAR file (as specified in the product configuration file) is available for deployment. If the Configuration Utility indicates the available disk space is inadequate, you must specify a different location for storage of the EAR or WAR files in the product configuration file and then repeat the automatic deployment process. On WebSphere, if you chose to deploy automatically rather than manually, the Configuration Utility checks server disk space for the java.io.tempdir folder when starting deployment to ensure that at least four times the size of the EAR or WAR file (as specified in your product configuration file) is available for deployment. If the available disk space on the server is inadequate, the Configuration Utility relocates the java.io.tempdir file to the HYPERION_HOME\temp directory (HYPERION_HOME/temp directory for UNIX). After deployment is completed, the folder is automatically deleted.
6 Click Next to view configuration status. 7 Click Next to go to the next configuration task or to finish.
Postconfiguration Tasks
This section provides instructions for postconfiguration tasks:

Backing Up Shared Services Configuration Files on page 49 Starting Shared Services on page 50 Deploying WebLogic When Connected Through a Proxy Server on page 53 Enabling HTTPS for WebLogic on page 53 Updating the Default Session Timeout for WebLogic 8.1 on HP-UX on page 54
Backing Up Shared Services Configuration Files

Hyperion recommends that you back up Shared Services configuration files in case of failure. If configuration files are not backed up, upon recovery, you must reconfigure Shared Services. See Appendix E, Shared Services Backup and Recovery.
Postconfiguration Tasks
49
Starting Shared Services

This section describes how to start Shared Services if you did not deploy the Shared Services application server as a Windows service. If you deployed the Shared Services application server as a Windows service, start the service without restarting the computer, start the service manually from Windows control panel (Administrative Tools > Services).
To start Shared Services server:

1 Choose a method:
On Windows, select Start > Programs > Hyperion > Foundation Services > Start Shared Services. The menu item indicates which application server the Shared Services server is deployed to.
Execute the startup script:

Path to Script Windows:
<HSS_HOME>\AppServer\InstalledApps\<AppServName>\<version>\SharedServices9\ bin\startSharedServices9.bat
Application Server IBM WebSphere
UNIX:
<HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/SharedServices9/ bin/startSharedServices9.sh
BEA WebLogic
Windows:
<HSS_HOME>\AppServer\InstalledApps\<AppServName>\<version>\SharedServices9\ startSharedServices.bat
UNIX:
<HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/SharedServices9/ startSharedServices.sh
Oracle
Windows:
<OracleInstallDir>\bin\emctl start iasconsole <OracleInstallDir>\opmn\bin\opmnctl startall
UNIX:
<OracleInstallDir>/bin/emctl start iasconsole <OracleInstallDir>/opmn/bin/opmnctl startall
Apache Tomcat
Windows:
<HSS_HOME>\AppServer\InstalledApps\<AppServName>\<version>\SharedServices9\ bin\startSharedServices9.bat
UNIX:
<HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/SharedServices9/ bin/startSharedServices9.sh
Note: <HSS_HOME> is the directory where Shared Services is installed; for example, c:\hyperion\SharedServices\9.2.
50
Verifying Successful Startup

To verify successful startup and configuration of Shared Services:
1 Look for the following confirmation messages in the Shared Services console window during startup:

Database Configuration Test Passed Security System Initialized Successfully Shared Services Initialized Successfully
On UNIX, when Shared Services is deployed to the Tomcat application server, these confirmation messages are logged to the following file: <HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/
SharedServices9/logs/Catalina.out
When Shared Services is deployed to WebSphere, these confirmation messages are logged to the following file:
Windows:
<WebSphereInstallDir>\AppServer\logs\SharedServices9\SystemOut.log
UNIX:
<WebSphereInstallDir>/AppServer/logs/SharedServices9/SystemOut.log
On UNIX and Windows, when Shared Services is deployed to WebLogic, these confirmation messages are also logged to the following file, unless the log level is set to WARN:
Windows:
<HSS_HOME>\AppServer\InstalledApps\WebLogic\8.1\SharedServices9\ logs\SharedServices_Metadata.log
UNIX:
<HSS_HOME>/AppServer/InstalledApps/WebLogic/8.1/SharedServices9/ logs/SharedServices_Metadata.log
2 On the Shared Services server computer, launch the User Management Console login page using one of
these methods:
a. Open a browser and enter this URL:

http://SharedServicesServerName:port#/interop
where SharedServicesServerName is the name of the computer where the Shared Services server is installed and port# is the Shared Services server port number. The default port number is 58080; if Shared Services server is installed to a non-default port, specify that value. For example, using the default port:
http://jdoe:58080/interop/ Note: As a best practice when accessing User Management Console on the machine where the Shared Services server is running, the URL to access the console should always use an IP address or a fully qualified machine name that includes the domain name. If the IP address is dynamic, use the fully qualified machine name.
51
b. On Windows, select Start > Programs > Hyperion > Foundation Services > User Management Console. If the User Management Console login page is displayed, Shared Services server is started successfully.
Stopping Shared Services

This section describes how to stop Shared Services if you did not install the Shared Services application server as a Windows service. If you installed the Shared Services application server as a Windows service, use Windows control panel to stop Shared Services server.
To stop Shared Services server, choose a method:
On Windows, select Start > Programs > Hyperion > Foundation Services > Stop Shared Services. The menu item indicates which application server the Shared Services server is deployed to.
Execute the stop script:

Path to Script Windows:
<HSS_HOME>\AppServer\InstalledApps\<AppServName>\<version>\SharedServices9\ bin\stopSharedServices9.bat
Application Server IBM WebSphere
UNIX:
<HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/SharedServices9/ bin/stopSharedServices9.sh
BEA WebLogic
Windows:
<HSS_HOME>\AppServer\InstalledApps\<AppServName>\<version>\SharedServices9\ stopSharedServices.bat
UNIX:
<HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/SharedServices9/ stopSharedServices.sh
Oracle
Windows:
<OracleInstallDir>\bin\emctl stop iasconsole <OracleInstallDir>\opmn\bin\opmnctl stopall
UNIX:
<OracleInstallDir>/bin/emctl stop iasconsole <OracleInstallDir>/opmn/bin/opmnctl stopall
Apache Tomcat
Windows:
<HSS_HOME>\AppServer\InstalledApps\<AppServName>\<version>\SharedServices9\ bin\stopSharedServices9.bat
UNIX:
<HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/SharedServices9/ bin/stopSharedServices9.sh
Note: <HSS_HOME> is the directory where Shared Services is installed; for example, c:\hyperion\SharedServices\9.2.
52
Using the FORCESHUTDOWN Command on WebLogic

On WebLogic, if Shared Services server cannot be shut down gracefully, a message is displayed that suggests using the FORCESHUTDOWN command to override inflight work and shut down the server.
To use the FORCESHUTDOWN command to stop Shared Services server:

1 Open the stop script in a text editor.
See Stopping Shared Services on page 52 for the stop script location.
2 Find SHUTDOWN in the file and replace it with FORCESHUTDOWN. 3 Save and execute the file.
Deploying WebLogic When Connected Through a Proxy Server

If you are deploying a product to WebLogic via a proxy server, this process is automated; you do not need to complete additional manual steps for the deployment.
Enabling HTTPS for WebLogic

To enable HTTPS support on WebLogic:
1 Deploy Shared Services on WebLogic using Hyperion Configuration Utility.
For instructions see, Deploying Shared Services to an Application Server on page 47.
2 Open this file in a text editor:

HSS_HOME\SharedServices\9.2\AppServer\InstalledApps\WebLogic\ 8.1\SharedServices9\config.xml
3 Add an attribute Enabled=true in the SSL tag as follows:

<Server ..........> <SSL Enabled=true ........../> </Server>
4 Save and close the file. 5 Start the Shared Services server on WebLogic. 6 Log on to the WebLogic Administration Console:
a. Open a browser and set the address to http://servername:portno/console where servername and portno are the server and port (specified during installation) on which the WebLogic server is running; for example, http://localhost:58080/console. b. Specify the username and password as follows:

Username: system Password: weblogic
7 In the left frame, select SharedServices9 > Servers > SharedServices.
53
8 In the right frame, click the Configuration tab and select the Keystores & SSL sub-tab. 9 Click the Change link for Keystore Configuration. 10 In Specify Keystore Type, for Keystores, select Demo Identity and Demo Trust (if not selected) and click
Continue.
Note: In this scenario, the Demo keystore files that come bundled with WebLogic are used.
11 On the Keystore & SSL tab, click Apply. 12 Restart Shared Services server on WebLogic.
HTTPS is enabled on port 7002. You can access Shared Services using the following URL:
https://servername:7002/interop
Updating the Default Session Timeout for WebLogic 8.1 on HP-UX

For HP-UX, Shared Services deployments to WebLogic 8.1 servers can take over 30 minutes to shut down the application server. This is because the default session timeout for WebLogic applications is 3600 seconds (1 hour). To enable quicker shut downs, you can limit session timeouts. Session timeouts are limited by adding a TimeoutSecs parameter to the weblogic.xml configuration file located in <HSS_InstallLocation>/AppServer/ InstalledApps/WebLogic/8.1/SharedServices9/interop/WEB-INF/. Add this section to the <session-param> section of weblogic.xml:
<param-name>TimeoutSecs</param-name> <param-value>timeout value in seconds</param-value>
For example:
<session-param> <param-name>TimeoutSecs</param-name> <param-value>120</param-value> </session-param>
Reconfiguration
The Configuration Utility enables you to reconfigure Shared Services multiple times. Reconfiguration procedures are identical to the initial configuration procedures. Launch the Configuration Utility, select Shared Services, and repeat the procedures. Select the options that you want to change and follow the prompts to enter the required information.
54
Configuration Troubleshooting
Because the Configuration Utility separates configuration from product installation, the task of tracking and correcting configuration errors is simplified. The Configuration Utility logs configuration errors and warning messages to a log file, configtool.log, in a central location:

Windows: %HYPERION_HOME%\common\config\logs UNIX: $HYPERION_HOME/common/config/logs
Configuration Troubleshooting
55
56
Chapter
6
In This Chapter
Uninstalling Shared Services and Hyperion Hub
This chapter explains how to uninstall Shared Services and Hyperion Hub.
About Uninstalling Shared Services and Hyperion Hub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Uninstalling Shared Services and Hyperion Hub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
57
About Uninstalling Shared Services and Hyperion Hub

Shared Services provides a cross-platform uninstaller program that helps you remove Shared Services or Hyperion Hub from your system. The uninstaller does not remove common components residing in the HYPERION_HOME\common directory, nor does it uninstall the database that contains data.
Note: If you installed an earlier release of Shared Services or Hyperion Hub, you do not need to uninstall it before installing this release.

Before uninstalling Shared Services or Hyperion Hub, stop all activities and processes tied to Shared Services or Hyperion Hub, including the application server, database, and servers related to Shared Services or Hyperion Hub, except if you are using IBM WebSphere as the Web application server. WebSphere should be left running because it removes files during uninstallation.
Uninstalling Hyperion Hub Release 7.0

To uninstall Hyperion Hub Release 7.0:
1 Launch the uninstaller for your platform:
Windowsc:\Program Files\Hyperion\HyperionHub\7.0\uninstall\
uninstallHyperionHub7.0.exe
UNIX/home/username/Hyperion/hyperionhub/7.0/uninstall/
uninstallhyperionhub7.0.bin
Note: On Windows platforms, you can also uninstall from the Control Panel (Add/Remove Programs).
2 Follow the uninstallation prompts.
Uninstalling Hyperion Hub Release 7.0.1

To uninstall Hyperion Hub Release 7.0.1:
Windowsc:\Program Files\Hyperion\HyperionHub\7.0.1\uninstall\
UNIX/home/username/Hyperion/hyperionhub/7.0.1/uninstall/
58
Uninstalling Hyperion Hub Release 7.2.x

To uninstall Hyperion Hub Release 7.2.x:
Windowsc:\Program Files\Hyperion\HyperionHub\7.2.x\uninstall\
UNIX/home/username/Hyperion/hyperionhub/7.2.x/uninstall/
Uninstalling Shared Services Release 9.2.1

To uninstall Shared Services Release 9.2.1:
Windows
<HSS_HOME>\uninstall\uninstallHyperionSystemSharedServices.exe
UNIX
<HSS_HOME>/uninstall/uninstallHyperionSystemSharedServices.bin
where <HSS_HOME> is the directory where Shared Services is installed; for example, c:\hyperion\SharedServices\9.2.
Caution! Uninstalling Japanese and Korean language Hyperion products using the Microsoft Windows
Add/Remove Program may cause an operating system crash. To avoid this potential problem when uninstalling, locate the uninstallHyperionSystemSharedServices.exe file (located in <HSS_HOME>\uninstall) and double-click the executable to perform the uninstallation manually.
59
60
Chapter
About External Authentication and Single Sign-On
This chapter helps you to set up Hyperion applications to use external authentication and single sign-on. Using external authentication to manage user accounts on Hyperion applications provides two main benefits: The established corporate structure of user accounts is employed by Hyperion applications, thus reducing administrative overhead. External authentication provides for single sign-on to Hyperion applications, which eliminates the need for users to log on multiple times with multiple usernames and passwords.
In This Chapter
About External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 About Single Sign-On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 About Support for SiteMinder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 External Authentication and Single Sign-On Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
61
About External Authentication

External authentication means the user login information needed by Hyperion applications is stored outside the applications. The information is maintained in a central authentication directory, such as Lightweight Directory Access Protocol (LDAP) Directory, Microsoft Active Directory (MSAD), Windows NT LAN Manager (NTLM), or SAP. An authentication directory is a centralized store of user and perhaps corporate information. The directory functions like a telephone directory. It can contain much more than usernames and passwords; for example, it may include e-mail addresses, employee IDs, job titles, access rights, and telephone numbers. It may also contain corporate information; for example, it may contain information about corporate locations or other entities.
Note: Users with blank passwords are not supported.
To use external authentication for Hyperion applications, your organization must have an authentication directory containing corporate user information. Additionally, you must modify the XML-based security configuration file associated with your product to specify correct information pertaining to your corporate authentication directory. The following types of authentication repositories are supported:

NTLM on Windows 2000 and Windows 2003 LDAP version 3 or higher MSAD on Windows 2000 and Windows 2003 SAP Enterprise Portal, SAP R/3, SAP BW
For information about external authentication concepts, see External Authentication and Single Sign-On Terminology on page 64.
About Single Sign-On

Single sign-on enables users to access multiple Hyperion products after logging on only once. When an externally authenticated user logs on a Hyperion product, an encrypted token is generated. The token contains the user credentials in the form of the username, and in some cases, the password. The presence of a password in the token depends on the configuration. If you are using a trusted authentication directory, no password is present or required in the token.
62
As shown in the following figure, the token is passed among other Hyperion products and is used as needed to reauthenticate the user automatically when the user moves to another application. Single sign-on is effective in cases where one Hyperion product launches another. If a user launches a second product independently; for example, from the Start menua token cannot be passed between the products, and the user must reauthenticate.
Tokens are encrypted; however, additional security such as Secure Sockets Layer (SSL) protocol is recommended for prevention of replay attacks (a form of network attack in which a data transmission is maliciously or fraudulently repeated or delayed) or man in the middle attacks (an attack in which an attacker is able to read, insert, and modify messages between two parties without the parties knowing the link between them has been compromised). To enable single sign-on among multiple Hyperion applications that launch one another, you must use one XML configuration file that is shared by the multiple product installations. See Chapter 10, Configuring External Authentication for Shared Services. For information about key single sign-on concepts, see External Authentication and Single Sign-On Terminology on page 64.
About Support for SiteMinder

In addition to native Hyperion single sign-on, Hyperion products can be integrated with Web access management solutions such as Netegrity SiteMinder. Web access management solutions are employed by organizations to manage and enforce authentication, authorization, and single sign-on for Web resources such as JSP, ASP, or HTML files. Web-based Hyperion products support single sign-on from a Web access management solutions provider, also known as a security agent. Integration with a security agent requires configuration of the <securityAgent> element in the XML configuration file.
Note: In this documentation, the terms security agent and Web security agent are interchangeable. They refer to Web access management solutions providers such as Netegrity SiteMinder.
About Support for SiteMinder
63
The following security agents are tested and supported for single sign-on with Hyperion applications:

SiteMinder Policy Server 5.5 Service Pack 2 SiteMinder Web Agent 5.5 Service Pack 2
If your corporation implements SiteMinder to protect company Web resources, you can configure the security platform to require only that users authenticate through SiteMinder, after which they are not required to present credentials again when logging in to Hyperion applications. For information about configuring the securityAgent element in the XML configuration file, see Configuring SiteMinder Single Sign-On on page 96. For a sample deployment scenario illustrating single sign-on with SiteMinder, see Single SignOn with SiteMinder on page 120.
External Authentication and Single Sign-On Terminology

The following table defines key external authentication and single sign-on concepts:
Concept Authentication repository Definition A centralized, corporate store of user and group information May also be referred to as directory or provider. The security platform provides built-in support for the following providers: Lightweight Directory Access Protocol (LDAP) Directory, Windows NT LAN Manager (NTLM), Microsoft Active Directory (MSAD), and SAP . The security platform relies on an XML document to be configured by the product administrator or installer of the software The XML document must be modified to indicate meaningful values for properties, specifying locations and attributes pertaining to the corporate authentication scenario. External authentication Identity Security agent The process of authenticating a user ID and password on an authentication server, such as an LDAP or NTLM server, instead of authenticating with the current server or application A unique identification of one user or group on an external authentication repository A Web access management solutions provider employed by companies to protect Web resources, also known as a Web security agent The Netegrity product, SiteMinder, is an example of a security agent. Security platform Single sign-on A framework providing the ability for Hyperion applications to use external authentication and single sign-on The ability of an externally-authenticated user to access multiple, linked Hyperion applications after logging on to the first application The user can launch other applications from the first application and from other linked Hyperion applications without logging on again. The username and password are authenticated. Token An encrypted identification of one user or group on an external authentication system
Configuration file
64
Chapter
Implementing Hyperion External Authentication
Use Shared Services External Authentication Configuration Console to manage external authentication outside the context of a particular product or application. After you configure Shared Services, you can configure other Hyperion products that use external authentication by referencing the Shared Services configuration. For Shared Services functionality to be implemented for Hyperion products or applications, each product requires access to a Shared Services server running Shared Services server software and to a database dedicated to Shared Services. For database options, see Chapter 5, Configuring and Setting Up Shared Services.
In This Chapter
Workflow for Setting Up External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Preparing to Implement External Authentication and Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
65
Workflow for Setting Up External Authentication

Use the following process to set up external authentication for Hyperion products: 1. From the Oracle E-Delivery site, download and install Shared Services. See Chapter 4, Installing and Upgrading Shared Services. 2. Complete the application server and database configuration steps for Shared Services before proceeding with configuration of external authentication. See Chapter 5, Configuring and Setting Up Shared Services. 3. Configure external authentication for Shared Services. See Chapter 10, Configuring External Authentication for Shared Services. 4. Download and install the Hyperion products you plan to use. 5. Configure the Hyperion products you use to reference the Shared Services external authentication configuration. See the Hyperion product installation guides for instructions. 6. If you use NTLM authentication, complete the steps described in Chapter 9, Using NT LAN Manager for External Authentication. 7. If you use Web Access Management Solutions (Netegrity), complete the steps described in Configuring SiteMinder Single Sign-On on page 96.
Preparing to Implement External Authentication and Single Sign-On

You must complete the following tasks before implementing external authentication and single sign-on with Hyperion applications: 1. Decide which Hyperion products and which operating systems the external authentication functionality needs. See Software Requirements on page 22. Decide which of the supported authentication providers, on which platforms, to make available in the security realm. See Software Requirements on page 22. Web-based Hyperion applications can be used with Netegrity Siteminder version 5.5 or higher in conjunction with the supported directories. For details on installation and configuration of Netegrity Siteminder, see the Siteminder installation documentation at http://www.netegrity.com. 2. Install and configure Shared Services, available on the Oracle E-Delivery site. See Chapter 4, Installing and Upgrading Shared Services and Chapter 5, Configuring and Setting Up Shared Services. After you configure Shared Services for external authentication, you can configure other Hyperion products to use external authentication by referencing the Shared Services configuration. See the product installation guides.
66
3. If your corporation implemented SiteMinder to protect company Web resources, you can configure the security platform to enable single sign-on among Hyperion applications and SiteMinder. See Configuring SiteMinder Single Sign-On on page 96 and About Support for SiteMinder on page 63. 4. If you are implementing security using an NTLM provider and using UNIX on the computer where the Hyperion application software is installed, ensure Hyperion Remote Authentication Module is installed. 5. Download and install the Hyperion Remote Authentication Module from the Hyperion Download Center. See Using the Hyperion Remote Authentication Module on page 103. 6. After the Remote Authentication Module is installed, provide its URL as a value to the remoteServer element in the security platform XML configuration file. 7. If you want to enable authentication of users from multiple Windows domains, but you do not want to set up trust relationships among the domains, install the Hyperion Remote Authentication Module on a separate Windows server. Separate installation enables users of Hyperion applications running on one domain to log on to Hyperion applications on other domains. All domains involved must be running Hyperion applications that are configured to use one Hyperion Remote Authentication Module instance.
Preparing to Implement External Authentication and Single Sign-On
67
68
Chapter
9
In This Chapter
Using NT LAN Manager for External Authentication
The directions in this chapter apply to administrators who want to enable one or more Hyperion applications to use external authentication of users in a Windows NT LAN Manager (NTLM) domain.
Setting Up User Rights for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 UNIX Application Support for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Multiple-Domain Support for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
69
Setting Up User Rights for NT LAN Manager

To enable use of the NTLM provider, access rights are required of the Windows NT user account on which the application or application server runs.
Note: Ensure you set up access rights on the computer on which the application runs, rather than on the NT domain computer.
Additionally, access rights are required for end users. The following access rights are required for external authentication to work with an NTLM provider:
Access this computer from the network (usually granted to Administrators). End users of Hyperion applications using external authentication require this right. Act as part of the operating system (normally not granted to anyone). The account used to run Hyperion application processes requires this right for external authentication to work. The logged on user should be a domain user. The user running the application or application server of the Hyperion product should be a domain user rather than a local Windows user.
See one of the following topics, depending on which operating system you use.

Setting Up User Rights on Windows 2000 on page 70 Setting Up User Rights on Windows 2003 on page 71
Setting Up User Rights on Windows 2000

To set up user rights on Windows 2000:
1 Select Start > Settings > Control Panel > Administrative Tools > Local Security Policy.
This opens the Local Security Settings dialog box.
2 In the left frame of Local Security Settings, expand the folder named Local Policies. 3 Click the folder named User Rights Assignment, and, in the right area, double-click the policy named
Access this computer from the network.
The Local Security Policy Setting dialog box for the Access this computer from the network policy is displayed.
4 If the relevant user account has the policy checked, click Cancel and skip to step 9. 5 Click Add. 6 Select the name of the user or group needing the right. 7 Click Add. 8 Click OK.
70
9 In the right frame, double-click the policy named Act as part of the operating system.
The Local Security Policy Setting dialog box for the Act as part of the operating system policy is displayed.
10 If the relevant user account has the policy checked, click Cancel and skip the rest of this procedure. 11 Click Add. 12 Select the name of the user or group needing the right. 13 Click Add. 14 Click OK.
Setting Up User Rights on Windows 2003

To set up user rights in Windows 2003:
1 Select Start > Control Panel > Administrative Tools > Local Security Policy.
This opens the Local Security Settings dialog box.
2 In the left frame of Local Security Settings, expand the folder named Local Policies. 3 Click the folder named User Rights Assignment, and, in the right area, double-click the policy named
Access this computer from the network.
The Access this computer from the network Properties dialog box is displayed.
4 If the relevant user account is listed as having this right, click Cancel and skip to step 9. 5 Click Add User or Group. 6 Enter the name of the user or group needing the right. 7 Click OK. 8 In Access this computer from the network Properties, click OK. 9 In the right frame of Local Security Settings, double-click the policy named Act as part of the operating
system.
The Act as part of the operating system Properties dialog box is displayed.
10 If the relevant user account is listed as having this right, click Cancel and skip the rest of this procedure. 11 Click Add User or Group. 12 Enter the name of the user or group needing the right. 13 Click OK. 14 In Act as part of the operating system Properties, click OK. 15 Close Local Security Settings.
Setting Up User Rights for NT LAN Manager
71
UNIX Application Support for NT LAN Manager

If you are implementing external authentication with an NTLM provider and were to support the use of a UNIX computer for the client application or if you must ensure Hyperion Remote Authentication Module is installed on a Windows 2000 server, see Chapter 11, Using the Hyperion Remote Authentication Module.
Multiple-Domain Support for NT LAN Manager

In addition to UNIX application support, Hyperion Remote Authentication Module enables a Hyperion application to authenticate users belonging to other domains that are not trusted by the domain on which the Hyperion application is installed. This removes the necessity to establish trust relationships among the domains. Therefore, installing Hyperion Remote Authentication Module can be useful to the following groups:

UNIX application users who must log on using a Windows domain Windows users who must log on using multiple Windows domains, although no trust relationships are set up
See Chapter 11, Using the Hyperion Remote Authentication Module.
72
Chapter
10
Configuring External Authentication for Shared Services
This chapter tells administrators how to configure Shared Services to support authentication of users stored in LDAP, MSAD, Windows NTLM, or SAP external authentication providers. Configuration also enables single sign-on for accessing multiple Hyperion applications after logging on only once using external credentials.
In This Chapter
How Configuration Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Launching the External Authentication Configuration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Adding or Editing an LDAP or MSAD Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Adding or Editing an NT LAN Manager Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Working with an SAP Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Setting the Search Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Setting the Token Time-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Configuring the Preferred Logging Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Enabling the Security Agent for Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Additional Configuration Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Deleting a Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Notes About User and Group Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Configuring SiteMinder Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Using Secure Sockets Layer (SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
73
How Configuration Works

To configure Hyperion products for external authentication and single sign-on, use the Shared Services External Authentication Configuration Console to configure Shared Services for external authentication. After you configure Shared Services and verify that external authentication is successful, configure other products by referencing the Shared Services configuration using Hyperion Configuration Utility. When you use the Shared Services External Authentication Configuration Console to set up external authentication, the console writes your configuration information to the CSS.xml file packaged with Shared Services. For a sample XML configuration file, see Appendix F, Sample Configuration XML Files.
Note: Although Hyperion products include XML files that can be configured separately for external authentication, Hyperion strongly recommends simplifying the configuration by using Shared Services. For information about referencing the Shared Services configuration, see the Hyperion product installation guides.
If you are using an earlier release of a Hyperion product with this release of Shared Services, you must have two versions of the external authentication configuration file (CSS.xml) on your system:

The current Shared Services configuration file installed with this release of Shared Services The Hyperion product configuration file installed with the earlier release of your product
Note: Anytime you update the external authentication configuration, you must restart Shared Services AND all Hyperion products referencing the Shared Services external authentication configuration (including restarting Hyperion product services and servlets).
Launching the External Authentication Configuration Console

The Shared Services External Authentication Configuration Console is installed as part of the Shared Services installation.
To launch the External Authentication Configuration Console:

1 If it is not started, start the Shared Services server.
See Starting Shared Services on page 50.
2 Launch the External Authentication Configuration Console by selecting Start > Programs > Hyperion >
Foundation Services > External Authentication Configuration Console.
The External Authentication Configuration Console is a Web-browser interface to Shared Services, set to the following address:
http://hostname:portno/interop/framework/login
where hostname and portno are the host and port number on which Shared Services is running, for example,
http://localhost:58080/interop/framework/login
74
3 Enter your user name and password.

The default login information is as follows: User: admin Password: password
4 Click Log on.
Adding or Editing an LDAP or MSAD Provider

Use External Authentication Configuration Console to add, edit, and configure LDAP or MSAD providers for external authentication.
Note: When you use External Authentication Configuration Console to make changes to external authentication, the console updates the CSS.xml file located at: <HSS_HOME>\AppServer\InstallableApps\ common, where <HSS_HOME> represents the directory where Shared Services was installed.
To add an LDAP or MSAD provider:

1 Launch Shared Services External Authentication Configuration Console. 2 Click Add. 3 Select LDAP or MSAD, and click Next. 4 Complete the tasks described in the following topics:

Naming the Provider Configuration (Required) on page 75 Specifying Hostname, Port, and Base DN (Required) on page 76 Setting a Read-Only User Account or Selecting an Anonymous Bind (Required) on page 76 Specifying the Location of Users (Optional) on page 77 Specifying the Location of Groups (Optional) on page 77 Specifying the Provider Trust Setting (Optional) on page 77 Setting Maximum Result-Set Size (Optional) on page 79 Setting Authorization Type (Optional) on page 79 Completing the Configuration (Required) on page 79
To edit a provider, click Edit instead of Add, and complete the relevant tasks in the preceding list.
Naming the Provider Configuration (Required)

You must provide a configuration name for each external authentication provider. Provider configuration names enable you to distinguish among multiple providers of one type. For example, two LDAP providers might be named ldapserver1 and ldapserver2.
75
Configuration names do not have to match server names.
To name the LDAP or MSAD configuration:

1 In Name, type a configuration name (for example, ldapServer1 or ldapserver2). 2 Click Save or continue to the next section.
Specifying Hostname, Port, and Base DN (Required)

You must indicate the address of the external authentication provider.
To specify the host information:

1 In Hostname, enter the name of the computer hosting the LDAP or MSAD repository.
For example, myHost2.
2 In Port, enter the port number used by the LDAP or MSAD repository; for example, 58089. 3 In Base DN, enter the directory information tree (DIT) section of an LDAP or MSAD URL.
You must include the domainComponent attributes (DCs); for example, DC=company,DC=com.
4 Click Save or continue to the next section.

Shared Services cannot access users and groups from LDAP servers where the root context contains spaces. To work around this problem, after you click Save, modify the root context entry in the external authentication configuration file as shown in the following text. If the root context is as follows:
ldap://hostName:58089/dc=Engg Dept,dc=com
the entry should be:

ldap://hostName:58089/dc=Engg%20Dept,dc=com
Setting a Read-Only User Account or Selecting an Anonymous Bind (Required)

You must provide a default way for Hyperion products to connect to the external authentication directories.
To provide a connection method:

1 Complete one of the following actions:
In User DN, Password, and Confirm Password, enter the information pertaining to a user account having at least read access to the directory information tree (DIT) specified in the Base DN field (for example, dc=company, dc=com). This enables a Hyperion product to get user information from the LDAP or MSAD directory when a user attempts to log on to the Hyperion product using external credentials.
76
If the administrator configures the directories to provide anonymous access to the directory information tree, select Anonymous bind.
Specifying the Location of Users (Optional)

You can identify the location where users are stored in the directory information tree. Optionally, if you want the provider to search the whole directory specified by the Base DN, skip this section.
To provide the user location:

1 In User URL, enter a value indicating the branch in the directory server containing user entries; for
example, ou=People.
Specifying the Location of Groups (Optional)

You can identify the location where groups are stored in the directory information tree. Optionally, if you want the provider to search the whole directory specified by the Base DN, skip this section.
To provide the group location:

1 In Group URL, enter a value indicating the branch in the directory server containing group entries; for
example, ou=Groups.
Specifying the Provider Trust Setting (Optional)

When set to true, the trust setting means that the user credentials found in a token received by a Hyperion application are not validated against the external authentication repository. This quickens the authentication process. When the trust setting is true in a single sign-on scenario, these actions occur: 1. Hyperion application 2 receives a token from another Hyperion application 1 that launches it. The password is not part of the token. 2. Hyperion application 2 sends the token to the single sign-on mechanism. 3. The single sign-on mechanism validates the token is constructed properly. (Token decryption and read are successful.) 4. The single sign-on mechanism validates the token has not timed out.
Note: The single sign-on token carries the time the token was created and times out based on the settings provided in the external authentication configuration file. Therefore, ensure the system clock is set correctly.
77
5. The single sign-on mechanism extracts the identity from the token and validates it exists within the authentication providers. 6. The single sign-on mechanism confirms the user exists within the authentication providers. 7. The single sign-on mechanism returns the identity string to Hyperion application 2 to complete authentication. When the trust setting is false in one sign-on scenario, additional steps are taken. Steps 4-6 are unique to untrusted providers. 1. Hyperion application 2 receives a token from another Hyperion application 1 that launches it. The password is part of the token. 2. Hyperion application 2 sends the token to the single sign-on mechanism. 3. The single sign-on mechanism validates the token is constructed properly. (Token decryption and read are successful.) 4. The single sign-on mechanism validates the token has not timed out.
5. The single sign-on mechanism extracts the identity and password from the token. 6. The single sign-on mechanism validates the username and the password against the authentication providers indicated in the configuration. 7. The single sign-on mechanism receives an approval or denial to authenticate from the authentication provider. 8. The single sign-on mechanism returns the identity string to Hyperion application 2 to complete authentication.
To specify the provider trust setting:

1 Clear Trusted if this is not a trusted LDAP or MSAD provider, or select Trusted if this is a trusted provider.
If the trust setting is true, a password is not present or required in the token generated upon user authentication. The user still must log on with a username and password, but the password is not stored in the token.
Note: For an explanation of tokens, see About External Authentication on page 62.
If the trust setting is false, a password is part of the token and is required for this NTLM provider.
Note: If your corporation uses a security agent such as Netegrity SiteMinder to protect company Web resources, the provider must be trusted. See Configuring SiteMinder Single Sign-On on page 96
78
2 Click Save or continue to Setting Maximum Result-Set Size (Optional) on page 79.
Setting Maximum Result-Set Size (Optional)

You can set the maximum number of entries that can be returned as a result of a request to the authentication provider (for example, a request by a Hyperion application to list users available for login).
To set the maximum result-set size for an LDAP or Active Directory provider:
1 In Maximum Size, enter the maximum number of entries to be returned in a query:

If Maximum Size is left empty, the default value is 100. If Maximum Size is set to 0, the result-set size is unlimited. This may not be advisable, because on very large query results, it might consume too much memory.
2 Select Save or continue to the next section.
Setting Authorization Type (Optional)

This configuration topic is relevant if you are using the Secure Sockets Layer (SSL) protocol for secure data transmission to and from the authentication provider.
To set the authorization type, in Authorization Type, leave the default value of Simple, or
select SSL enabled if you are implementing Secure Sockets Layer. See Using Secure Sockets Layer (SSL) on page 97.
Completing the Configuration (Required)

To complete the configuration, click Save.
Shared Services writes your configuration changes to the external authentication configuration file (CSS.xml). Restart Shared Services AND Hyperion products referencing the Shared Services external authentication configuration (including restarting Hyperion product services and servlets).
Note: Shared Services cannot access users and groups from LDAP servers where the root context contains spaces. To work around this problem, after you click Save, modify the root context entry in the external authentication configuration file as described in Specifying Hostname, Port, and Base DN (Required) on page 76.
79
Adding or Editing an NT LAN Manager Provider

Use the Shared Services External Authentication Configuration Console to add, edit, and configure Windows NTLM providers for external authentication.
Note: When you use External Authentication Configuration Console to make changes to the external authentication configuration, the console updates the CSS.xml file located at: <HSS_HOME>\AppServer\ InstallableApps\common, where <HSS_HOME> represents the directory where Shared Services was installed.
To add an NTLM provider:

1 Launch External Authentication Configuration Console. 2 Click Add. 3 Select NTLM and click Next. 4 Complete the tasks described in the following topics:

Naming the Provider Configuration (Required) on page 80 Specifying the Domain (Optional) on page 81 Specifying a Remote Authentication Module Location (Optional) on page 81 Specifying the Provider Trust Setting (Optional) on page 82 Setting Maximum Result-Set Size (Optional) on page 82 Completing the Configuration (Required) on page 83
To edit an NTLM provider:

1 Launch External Authentication Configuration Console. 2 Click Edit. 3 Complete the relevant tasks described in the preceding list of topics.
Note: Click Save often to commit your configuration changes to the CSS.xml file.
Naming the Provider Configuration (Required)

You must provide a configuration name for each external authentication provider. Provider configuration names enable you to distinguish among multiple providers of one type. For example, two NTLM providers might be named ntlmserver1 and ntlmserver2. Configuration names do not have to match server names.
To name the NTLM configuration:

1 In Name, enter a configuration name (for example, ntlmServer or ntlmserver2). 2 Click Save or continue to the next section.
80
Specifying the Domain (Optional)

If a domain is specified, the NTLM provider is responsible for performing operations on that domain. Alternatively, if the domain element is left empty, the provider performs operations on the trusted domains. If you do not specify a domain element in the configuration file, a search for a user or group that is specified in multiple places returns only the first match. The match order is as follows:

Local computer Domain of local computer Trusted domains
For example, if the local computer and the domain of the local computer have an Administrators group and the domain element of the NTLM server is not specified in the external authentication configuration file, all methods that search for the Administrators group return only one. The returned group is the group on the local computer. Hyperion recommends you specify a domain element in the external authentication configuration file. If a user ID exists with one password in an NTLM repository and another password in another repository (LDAP or MSAD), and NTLM is earlier in the search order, authenticating the LDAP or MSAD user ID can result in a lock out of the NTLM user account. To address this situation, Hyperion recommends you use the provider hint while authenticating a user, if the authentication repository is known.
To specify the NT LAN Manager domain:

1 In Domain, enter the domain name (for example, HYPERION).
Use the name of the Windows domain that your company uses as an authentication provider.
Specifying a Remote Authentication Module Location (Optional)

This step applies only if you are supporting the following groups:
UNIX application users who must log on using a Windows domain. See UNIX Application Support for NT LAN Manager on page 72. Windows users who must log on using multiple Windows domains although no trust relationships are set up. See Multiple-Domain Support for NT LAN Manager on page 72.
Adding or Editing an NT LAN Manager Provider
81
To specify the location of the Hyperion Remote Authentication Module:

1 In Host name, enter the host name of the Remote Authentication Module. 2 In Port, enter the port number on which the Remote Authentication Module runs.
The default port number is 58000. See Using the Hyperion Remote Authentication Module on page 103.
Specifying the Provider Trust Setting (Optional)

To specify the provider trust setting:
1 Clear Trusted if this is not a trusted NT LAN Manager provider, or select it if this is a trusted provider.
If the trust setting is true, a password is not present or required in the token generated upon user authentication. The user still must log on with a user name and password, but the password is not stored in the token. If the trust setting is false, a password is part of the token, and this is required for this NTLM provider.
Note: If your corporation uses a security agent such as Netegrity SiteMinder to protect company Web resources, the provider must be trusted. See Configuring SiteMinder Single Sign-On on page 96.
See Specifying the Provider Trust Setting (Optional) on page 77.
Setting Maximum Result-Set Size (Optional)

You can set the maximum number of entries to be returned as a result of a request to the authentication provider (for example, a request by a Hyperion application to list users available for login).
To set the maximum result-set size for an NT LAN Manager provider:

1 In Maximum Size, enter the desired maximum number of entries that can be returned in a query.

If Maximum Size is left empty, the default value is 100. If Maximum Size is set to 0, no results are returned.
Note: The preceding statement is true only for NT LAN Manager. When you use LDAP or Active Directory (MSAD), a maximum size of 0 means the result-set size is unlimited.
2 Continue to the next section.
82
Completing the Configuration (Required)

To complete the configuration, click Save.
Shared Services writes your configuration changes to the external authentication configuration file (CSS.xml). Restart Shared Services AND Hyperion products referencing the Shared Services external authentication configuration (including restarting Hyperion product services and servlets).
Working with an SAP Provider

Shared Services supports single sign-on (SSO) with SAP by accepting an SAP logon ticket. This enables users defined in an SAP user store that may be synchronized with a corporate directory (LDAP enabled directories such as iPlanet, Active Directory) to seamlessly navigate between SAP (SAP Enterprise Portal, SAP R/3, and SAP BW) and Hyperion applications. If an SAP provider is configured, users can also directly logon to Hyperion applications using the user ID and password stored in the SAP system. The SAP provider creates the SAP logon ticket to enable SSO with SAP systems. After an SAP provider is configured, the SAP users and activity groups (roles) are displayed when you select the SAP provider in the User Management Console. SAP roles are depicted as groups in the console. You then provision users or groups (roles) with the appropriate Hyperion roles to assign appropriate access privileges to Hyperion applications. When a user logs into Hyperion applications, Shared Services authenticates the user and issues a login token. When the user accesses the SAP system, the Hyperion application passes the SAP logon ticket contained in the token to SAP to enable SSO. When a user logs on to the SAP Portal and navigates to Hyperion applications, an SAP logon ticket is passed to Shared Services. Shared Services decrypts the SAP logon ticket using the specified SAP certificate. This is depicted in the following illustration.
83
If a corporate directory is used by the SAP system as a primary store for user data, Shared Services can enable SSO between Hyperion applications and SAP systems even if an SAP provider is not configured. This requires that the corporate directory used by the SAP system be:

supported by Shared Services (see Chapter 3, Planning the Shared Services Installation) included in the search order defined in the provider configuration
In this scenario, Hyperion applications must receive the SAP logon ticket to enable SSO with SAP.
Prerequisites
All SAP systems within the SAP landscape must be set up for single sign-on with the SAP login ticket. User IDs must be normalized across the SAP landscape so that a user ID in one SAP system refers to the same user across all SAP systems. See the SAP documentation for more information. Copy/download the SAP JCo binaries (.dll files for Windows and shared libraries for UNIX) into %HYPERION_HOME%/common/SAP/bin directory. For example: /vol1/Hyperion/common/SAP/bin (UNIX) C:\Hyperion\common\SAP\bin (Windows). These binaries are available in your SAP distribution. You may also download them from the SAP web site. Copy/download the SAP JCo archives (.jar files) into %HYPERION_HOME%/common/SAP/lib directory. For example: /vol1/Hyperion/common/SAP/lib (UNIX) C:\Hyperion\common\SAP\lib (Windows). These binaries are available in your SAP distribution. You may also download them from the SAP web site. Copy/download the following SAP libraries into %HYPERION_HOME%/common/SAP/lib directory. For example, /vol1/Hyperion/common/SAP/lib (UNIX) C:\Hyperion\common\SAP\lib (Windows). These libraries are required to verify the SAP SSO login ticket provided to Hyperion applications application. You can extract these libraries from the file system of any J2EE Engine 6.30 or higher or from the Enterprise Portal EP60 SP2 or higher by searching through the SDA files containing the libraries. Required only if Hyperion applications are plugged into SAP Enterprise Portal.

com.sap.security.core.jar com.sap.security.api.jar sapjco.jar sap.logging.jar iaik_jce.jar iaik_jce_export.jar (if using the export version of the IAIK-JCE libraries)
Execute the explodejar.bat (Windows) or explodejar.sh (UNIX) script file available in %HYPERION_HOME%/common/SAP/lib directory to extract the contents of the SAP libraries jar files.
84
Adding an SAP Provider

Use the Shared Services External Authentication Configuration Console to add, edit, and configure SAP providers for external authentication.
Note: When you use External Authentication Configuration Console to make changes to the external authentication configuration, the console updates the CSS.xml file located at: <HSS_HOME>\AppServer\ InstallableApps\common, where <HSS_HOME> represents the directory where Shared Services was installed.
To add an SAP provider:

1 Launch External Authentication Configuration Console. 2 Click Add. 3 Select SAP and click Next. 4 Enter the appropriate configuration parameters.
Fields that must contain valid parameters are indicated by the asterisk. Refer to Table 4 for detailed information on the parameters you can set in the Configure SAP Provider screen.
Table 4
SAP Provider Parameters Description A unique configuration name for the SAP provider. Used to identify the SAP provider in situations where multiple SAP providers are defined in Shared Services. The host name or IP address of the machine where the SAP Server is running. The client number of the SAP system to which you want to connect. The system number (for example, 00) of the SAP System to which you want to connect. The SAP user ID that Shared Services should use to access the SAP provider. This user must have the access privileges to use Remote Function Calls (RFC) to connect to SAP and access user, activity groups, and their relationship data. The SAP provider password of the user identified in the User ID field. The maximum number of entries that a query to the SAP provider may return. Default is 100. JCo connection pool size. A unique name for the connection pool that should be used to establish a link between Shared Services and the SAP provider. Language for messages, for example error messages, from the SAP System. By default, this is read from the system locale of the computer hosting Shared Services server. The location of SAP X509 certificate. This certificate is used to parse the SAP login ticket and to extract the user ID needed to support SSO. Required only if Hyperion applications are plugged into SAP Enterprise Portal.
Field/Checkbox Name SAP Server Name Client Number System Number User ID
Password Max Entries Pool Size Pool Name Language Location of SAP Digital Certificate
85
Table 4
SAP Provider Parameters Description Select this checkbox if the secure socket layer (SSL) is to be used to communicate between Shared Services and the SAP provider. Select this checkbox if authentication by SAP ticket is required.
Field/Checkbox SSL Enabled Trusted
5 Click Save.
Provisioning SAP Users/Activity Groups

After configuring an SAP provider, SAP users and roles are displayed in the User Management Console. Roles from the SAP system are displayed as distinct groups. Shared Services, however, does not import the relationships that exist between simple and composite roles within the SAP system. Both simple and composite roles can be nested within Hyperion native groups. You must provision SAP users/roles with appropriate Hyperion roles to provide them access to Hyperion applications. You can:

Provision SAP users/activity groups by assigning them Hyperion roles Add SAP users/activity groups to Hyperion native groups in the Shared Services directory to facilitate administration
Refer to the Shared Services User Management Guide for detailed information on provisioning users/activity groups.
Setting the Search Order

The search order provides the external authentication mechanism with the ability to access multiple providers in a sequential manner. At least one provider must be in the search order.
Note: If you are using Netegrity SiteMinder to manage and enforce authentication, authorization, and single sign-on for company Web resources, ensure the search order for directories in Shared Services and the search order for directories in Netegrity SiteMinder are the same.
To set the search order of authentication providers:

1 In External Authentication Configuration Console Defined Providers, select a provider and take one or more
of the following actions:
Click Add to place a provider in the search order. If a provider is left out of the search order, it cannot be used for authentication. Click Move Up to give the provider a higher priority in the search order. The first priority is 1. Hyperion recommends you place the provider containing the most users of Hyperion applications first in the search order.
86
Click Move Down to give the provider a lower priority in the search order. The last priority is represented by the highest number. Click Remove to remove a provider from the search order. At least one provider must remain in the search order. The providers you remove from the search order are not included as potential authentication sources.
2 Click Save.
Shared Services writes your configuration changes to the external authentication configuration file (CSS.xml).
3 Restart Shared Services AND Hyperion products referencing the Shared Services external authentication
configuration (including restarting Hyperion product services and servlets).
Setting the Token Time-Out

When an externally authenticated user logs on to a Hyperion application, a token is generated to contain the login credentials. You can configure the token to expire after a specified number of minutes other than the default of 480 minutes (8 hours).
To define the length of time a token is valid:

1 In the Additional Configuration section of the External Authentication Configuration Console, locate Token
Timeout, enter how many minutes should pass before a user is required to reauthenticate in Token Timeout.
2 Click Save.
Configuring the Preferred Logging Priority

You can adjust the level of authentication-related messages you want all participating Hyperion applications to log.
To configure the error level setting for applications supporting external authentication and
single sign-on:
1 In the Additional Configuration section of the External Authentication Configuration Console, locate
Logging Level.
2 In Logging Level, select the level of reporting Hyperion applications are to use when logging external
authentication activities.
Configuring the Preferred Logging Priority
87
In the following list of values, each level includes the levels below it:

DEBUG includes extensive information useful for debugging. INFO includes information on the status of operations and requests. WARN includes cautionary information, if relevant, for some operations and requests. ERROR includes only statements pertaining to failed operations and requests. FATAL includes only information about errors resulting in a disconnection.
The name of the log file is SharedServices_Security_Client.log, and it is stored in the temp directory of the operating system.
3 Click Save.
Enabling the Security Agent for Single Sign-On

For Web-based Hyperion products, single sign-on integration with Netegrity SiteMinder is available. SiteMinder is a Web access management solutions provider employed by companies to manage and enforce authentication, authorization, and single sign-on for company Web resources. After SiteMinder authenticates a user, the Hyperion security platform enables single sign-on for the user into a Web-based Hyperion application without challenging the user for credentials.
To enable integration with the security agent for single sign-on:

1 In the Additional Configuration section of External Authentication Configuration Console, select Support
Security Agent for Single Sign-on.
2 Click Save.
Additional Configuration Elements

The following optional configuration elements are not currently available using the Shared Services External Authentication Configuration Console. If you must use the following configuration elements, edit the Shared Services external authentication configuration file (CSS.xml) directly using a text editor. Do not edit the file until after you complete the preliminary configuration using the Shared Services console. Additionally, Hyperion recommends backing up the CSS.xml file before editing it directly.
88
The CSS.xml file is located at <HSS_HOME>\AppServer\InstallableApps\common where <HSS_HOME> represents the directory where Shared Services was installed.
Caution! Be sure to save your changes to the CSS.xml file before closing the text editor and before using
the Shared Services External Authentication Configuration Console again.
Before continuing, it is recommended you examine the structure of the sample CSS.xml files in Appendix F, Sample Configuration XML Files. This section contains the following topics:

Configuring the User Login Attribute (Optional, LDAP/MSAD Only) on page 89 Configuring the User First-Name Attribute (Optional, LDAP/MSAD Only) on page 90 Configuring the User Surname Attribute (Optional, LDAP/MSAD Only) on page 91 Configuring the User E-mail Attribute (Optional, LDAP/MSAD Only) on page 91 Adding Custom User Object-Class Entries (Optional, LDAP/MSAD Only) on page 92 Configuring the Group Name Attribute (Optional, LDAP/MSAD Only) on page 93 Adding Custom Group Object-Class Entries (Optional, LDAP/MSAD Only) on page 93 Adding Referral Support (Optional, MSAD Only) on page 94
Configuring the User Login Attribute (Optional, LDAP/MSAD Only)

With the user login attribute, you can specify a directory attribute that uniquely identifies all relevant user entries.
To configure the user login attribute:

1 Add a User section to the Provider section of the XML if one does not exist, and add a loginAttribute
element to the User section. The tags should be nested as follows, with the additions shown in bold:
<spi> <provider> <ldap name="ldapserver"> ... <user> <loginAttribute></loginAttribute> </user> ... </ldap> </provider> <spi>
2 Between the <loginAttribute></loginAttribute> tags, enter the value of an attribute in the

directory that uniquely identifies user entries.
89
The attribute may be part of the DN, such as uid or cn, or a customized attribute, such as employee_ID, or another attribute commonly used in the directory nodes of users. If the <loginAttribute> section is deleted, the default value is uid, as shown in this sample:
<loginAttribute>uid</loginAttribute>
The sample is correct if all user names are identified by uid = UserName.
3 Save the CSS.xml file. 4 Restart Shared Services AND Hyperion products referencing the Shared Services external authentication
Configuring the User First-Name Attribute (Optional, LDAP/MSAD Only)

You can use the first-name attribute to specify the directory attribute associated with firstname entries in the directory.
To configure the user first-name attribute:

1 Add a User section to the Provider section of the XML if one does not exist, and add a fnAttribute
<spi> <provider> <ldap name="ldapserver"> ... <user> <fnAttribute></fnAttribute> </user> ... </ldap> </provider> <spi>
2 Between the <fnAttribute></fnAttribute> tags, enter the value of an attribute associated with
first-name entries in the directory. If the fnAttribute element is not used, the default value for the first-name attribute is givenname.
90
Configuring the User Surname Attribute (Optional, LDAP/MSAD Only)

You can use the surname attribute to specify the directory attribute associated with last-name entries in the directory.
To configure the user surname attribute:

1 Add a User section to the Provider section of the XML if one does not exist, and add an snAttribute
<spi> <provider> <ldap name="ldapserver"> ... <user> <snAttribute></snAttribute> </user> ... </ldap> </provider> <spi>
2 Between the <snAttribute></snAttribute> tags, enter the value of an attribute associated with
last-name entries in the LDAP directory. If the surname attribute is not used, the default value is sn.
Configuring the User E-mail Attribute (Optional, LDAP/MSAD Only)

You can use the e-mail attribute to specify the directory attribute associated with e-mail addresses stored as entries in your corporate directory.
To configure the user e-mail attribute:

1 Add a User section to the Provider section of the XML if one does not exist, and add an
emailAttribute element to the User section. The tags should be nested as follows, with the additions
shown in bold:
<spi> <provider> <ldap name="ldapserver"> ... <user> <emailAttribute></emailAttribute> </user> ... </ldap> </provider> <spi>
91
2 Between the <emailAttribute></emailAttribute> tags, enter the value of an attribute

mapped to e-mail addresses stored in your corporate directory. If the e-mail attribute is not used, the default value is mail.
Adding Custom User Object-Class Entries (Optional, LDAP/MSAD Only)

You can add custom elements to the CSS.xml file if your corporate directory schema requires specialized object classes to describe users and those object classes are not present in the entries.
To add custom user object classes:

1 Add a User section to the Provider section of the XML if one does not exist, and add one or more
objectclass and entry elements to the User section. The tags should be nested as follows, with the
additions shown in bold:

<spi> <provider> <ldap name="ldapserver"> ... <user> ... <objectclass> <entry></entry> </objectclass> ... </user> ... </ldap> </provider> <spi>
2 Add a value to each <entry> element.

The provided (default) user object classes for LDAP are person, organizationalPerson, and inetOrgPerson. The provided (default) user object classes for Active Directory are person, organizationalPerson, and user.
92
Configuring the Group Name Attribute (Optional, LDAP/MSAD Only)

You can use the group name attribute to specify a directory attribute uniquely identifying all relevant group entries.
To configure the group name attribute:

1 Add a Group section to the Provider section of the XML if one does not exist, and add a nameAttribute
element to the Group section. The tags should be nested as follows, with the additions shown in bold:
<spi> <provider> <ldap name="ldapserver"> ... <group> <nameAttribute></nameAttribute> </group> ... </ldap> </provider> <spi>
2 Between the <nameAttribute></nameAttribute> tags, enter the value of an attribute in the

corporate directory through which a group entry can be discovered. If the group name attribute is not used, the default value is cn.
For example, following configuration means the group names containing the relevant user entries are using the Common Name attribute:
<nameAttribute>cn</nameAttribute>
Adding Custom Group Object-Class Entries (Optional, LDAP/MSAD Only)

You can add custom elements to the CSS.xml file if your corporate directory schema requires specialized object classes to describe groups and those object classes are not present in the entries.
To add custom group object classes:

1 Add a Group section to the Provider section of the XML if one does not exist, and add one or more
objectclass and entry elements to the Group section. The tags should be nested as follows, with the

<spi> <provider> <ldap name="ldapserver"> ...
93
<group> ... <objectclass> <entry></entry> </objectclass> ... </group> ... </ldap> </provider> <spi>
2 Add a value to each <entry> element.

The provided (default) group object classes for LDAP are groupofuniquenames?uniquemember and groupOfNames?member. The provided (default) group object class for Active Directory is group?member. For additional entries, the <entry> tag values must be of the format ObjectClassName?AttributeName; for example: <entry>group?member</entry>. Where group is the name of the objectClass and member is the attribute holding the distinguished Name of the member of this group.
Adding Referral Support (Optional, MSAD Only)

Referrals are used to collect information from multiple servers and present it in a single namespace. For example, if a company is acquired and the directories are yet to be integrated, but users from both companies need to be listed whenever a directory search is performed.
Note: Because there are performance implications when you activate this setting, Hyperion provides an option whether to turn this setting on or off.
The <property></property> element enables the use of referrals in MSAD. MSAD referral entries are ignored unless this setting is added to the configuration file.
To add support for referrals:

1 Add a Property section to the end of the msad Provider section of the XML, following the closing
<group> tag. Include the keys and values shown. The tags should be nested as follows, with the
94
<spi> <provider> <msad name="msadServer"> ... <user> ... </user> <group> ... </group> <property> <key>com.hyperion.css.followReferral</key> <value>true</value> </property> </msad> </provider> <spi>
Deleting a Provider
Deleting a provider permanently removes the provider from the configuration.
Note: Remove removes the provider from the search order but not from the configuration.
To delete a provider:
1 Launch the External Authentication Configuration Console. 2 Select a provider and click Delete.
Notes About User and Group Names

The at symbol (@) is a reserved character used to delineate the user name or group name from the provider name. For example:
username@providerName => jblow@ntlmServer groupname@providerName => marketing@ntlmServer
If a user name or group name contains @, the characters following @ are considered to be the name of a provider registered in the search order. If such a provider name does not exist, an error message is returned. Additionally, the asterisk character (*) cannot be used in LDAP or MSAD user/group names
Notes About User and Group Names
95
Configuring SiteMinder Single Sign-On

For Web-based Hyperion products, single sign-on integration with Netegrity SiteMinder is available. SiteMinder is a Web access management solutions provider companies employ to manage and enforce authentication, authorization, and single sign-on for their Web resources. After SiteMinder authenticates a user, the Hyperion security platform enables single sign-on for the user into a Web-based Hyperion application without challenging the user for credentials.
Configuring the SiteMinder Policy Server

The SiteMinder administrator must set up protection for the Web resources of the Hyperion application. These resources can be HTML, JSP, ASP files, or other Web-based resource files. The SiteMinder administrator must configure a response that adds a custom HTTP header. This HTTP header makes a login name available to Hyperion application Web resources. The header must include the parameter HYPLOGIN, and the value of the login name of the authenticated user. For example, if you use an LDAP directory and cn is the login name attribute in the configuration file, the HYPLOGIN header should carry the cn value of the LDAP authenticated user. SiteMinder administrators can also configure the header to SM_USERLOGINNAME, the username specified by the user during logon. See the Responses and Response Groups section of the Netegrity Policy Design Guide.
Configuring the SiteMinder Web Agent

SiteMinder supports a single sign-on environment across Hyperion applications running on heterogeneous web server platforms. If Hyperion applications, including Shared Services, run on different web servers, you must ensure that the SiteMinder cookie can be passed among web servers within the same domain.
In the WebAgent.conf file for each web server, set the cookiedomain property, as follows:
Cookiedomain=.domainName.com For example: Cookiedomain=.hyperion.com For more details, see the Configuring Web Agents chapter in the Netegrity SiteMinder Agent Guide. Because Shared Services uses basic authentication to protect its content, the web server that intercepts requests for Shared Services should enable basic authentication to support single sign-on with SiteMinder.
96
Enabling SiteMinder Authentication in the Shared Services Configuration

Integration with SiteMinder requires configuration of the <securityAgent></securityAgent> element in the CSS.xml configuration file. The CSS.xml file is on the computer hosting Shared Services, at <HSS_HOME>\
AppServer\InstallableApps\common
where <HSS_HOME> represents the directory where Shared Services is installed.
Caution! Do not edit the CSS.xml file until after you finish using Shared Services External
Authentication Provider Configuration Console for the preliminary configuration. Additionally, Hyperion recommends backing up the CSS.xml file before editing it directly.
To enable SiteMinder authentication in the Shared Services configuration:

1 Using a text editor, open the CSS.xml file. 2 Above the final line of the file, add a blank line that reads as follows:
</css>
3 In the blank line above </css>, type the following text:

<securityAgent name="NETEGRITY"/>
4 Save and close CSS.xml.
Deployment Example
For a sample deployment scenario, see Single Sign-On with SiteMinder on page 120.
Using Secure Sockets Layer (SSL)

You can use the Secure Sockets Layer (SSL) protocol for secure data transmission to and from the authentication provider. Tokens are encrypted; however, the additional security of Secure Sockets Layer is recommended for prevention of replay attacks (a form of network attack in which a data transmission is maliciously or fraudulently repeated or delayed) or man in the middle attacks (an attack in which an attacker is able to read, insert, and modify messages between two parties without the parties knowing the link between them has been compromised). The Hyperion security platform uses the LDAP service provider from Sun to authenticate users stored externally in an LDAP-compatible directory such as Novell eDirectory, SunTM Open Net Environment (Sun ONE, formerly iPlanet), or MSAD. The LDAP service provider runs on the
97
Java Virtual Machine for your application. When SSL is used as the secure medium to connect to the directory server, the LDAP service provider of the security platform uses Java Secure Socket Extension (JSSE) software for its SSL support.
Enabling the Use of SSL

To use Secure Sockets Layer, you must select SSL as the authorization type when configuring Shared Services for external authentication. If you are using Secure Sockets Layer (SSL), you must also complete the following tasks:

On the directory server, ensure a certificate is installed and available. On the Java Virtual Machine that runs your application, create a certificate database if one does not exist. On the Java Virtual Machine that runs your application, trust the Certificate Authority (CA) issuing the server certificate.
Note: MSAD sp2 and earlier releases of Hyperion applications are known to have connectivity issues over SSL. Information on resolving such issues is available at this Microsoft Web site: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320711
For information about setting up SSL, see the documentation for your directory server or application server and JRE.
Setting Up SSL on OpenLDAP

OpenLDAP requires OpenSSL to be installed to create and verify the certificates. OpenSSL is available at http://www.openssl.org.
To set up SSL on OpenLDAP:

1 Use OpenSSL to create a self signed server certificate. From a command line, enter the following:
openssl req -newkey rsa:1024 -x509 -nodes -out openldap.pem -keyout openldap.pem -days 365
2 Add the following entries to the slapd.conf file:

TLSCertificateFile C:/Hyperion/SharedServices/9.2/openLDAP/openldap.pem TLSCertificateKeyFile C:/Hyperion/SharedServices/9.2/openLDAP/openldap.pem TLSVerifyClient never
3 Start the OpenLDAP database.

slapd -d 1 -h "ldap:/// ldaps:///" slapd -d 1 -h "ldap://:58089 ldaps:///"
This command starts LDAP on port 58089.
98
Consult the OpenLDAP Administrator's Guide for a detailed and up-to-date discussion of TLS/SSL use in OpenLDAP Software.
Setting Up SSL on Apache Tomcat 5.0.28

To enable SSL on the Tomcat application server, complete these tasks:
Create a keystore file on the machine where the Shared Services application server is running. See Creating a Keystore File on page 99. Map the keystore file to the Tomcat server.xml file. See Configuring the Tomcat server.xml File on page 100. Modify the hub.properties file to use HTTPS. See Modifying the hub.properties File on page 101.
Creating a Keystore File

To create a keystore file:
1 Generate the .keystore file:
a. Change to this directory:
Windows:
HYPERION_HOME\common\JDK\Sun\1.4.2\bin
UNIX:
HYPERION_HOME/common/JDK/Sun/1.4.2/bin
b. Type:
keytool -genkey -alias tomcat -keyalg RSA
2 Respond to the prompts as appropriate; for first and last name, enter the computer (host) name on which
the Shared Services application server is running.
By default, the .keystore file is stored in the Windows user home directory or the UNIX user $HOME directory.
3 Export the .keystore file:

Windows:
UNIX:
b. Type:
Windows:
keytool -export -keystore WINDOWS_USER_HOME_DIRECTORY\ .keystore -file server.cert -alias tomcat
99
UNIX:
keytool -export -keystore USER_$HOME_DIRECTORY/.keystore -file server.cert -alias tomcat
4 Import the .keystore file to cacerts:

Windows:
UNIX:
b. Type:
Windows:
keytool -import -keystore HYPERION_HOME\common\JDK\Sun\ 1.4.2\jre\lib\security\cacerts -file server.cert -alias tomcat
UNIX:
keytool -import -keystore HYPERION_HOME/common/JDK/Sun/ 1.4.2/jre/lib/security/cacerts -file server.cert -alias tomcat
For more details on using keytool, visit this website:

http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html
Configuring the Tomcat server.xml File

To configure the Tomcat server.xml file:
1 Copy the commented SSL <Connector ...> entry from:
Windows:
HYPERION_HOME\common\appServers\Tomcat\5.0.28\conf\server.xml
UNIX:
HYPERION_HOME/common/appServers/Tomcat/5.0.28/conf/server.xml
to
Windows:
HSS_HOME\AppServer\InstalledApps\Tomcat\5.0.28\ SharedServices9\conf\server.xml
UNIX:
HSS_HOME/AppServer/InstalledApps/Tomcat/5.0.28/ SharedServices9/conf/server.xml
where HSS_HOME is the location where Shared Services is installed, for example:
c:\Hyperion\SharedServices\9.2 on Windows or /home/username/Hyperion/SharedServices/9.2 on UNIX
2 Uncomment the SSL Connector entry you copied into:
100
HSS_HOME\AppServer\InstalledApps\Tomcat\5.0.28\ SharedServices9\conf\server.xml
The SSL Connector entry in the file you copied from should be left commented.
3 Add the keystoreFile attribute in the <Connector .> tag and set the keystoreFile value to the location
of the .keystore file you created earlier.
Windows: Example for Tomcat 5.0.28:

<! -- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> <Connector port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="<WINDOWS_USER_HOME_DIRECTORY>/.keystore"/>
UNIX: Example for Tomcat 5.0.28, pointing to the .keystore file located in the root directory :
<! -- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> <Connector port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/.keystore"/>
Modifying the hub.properties File

To modify the hub.properties file to use HTTPS:
1 Open the hub.properties file from this directory:
Windows:
HSS_HOME\AppServer\InstalledApps\Tomcat\5.0.28
UNIX:
HSS_HOME/AppServer/InstalledApps/Tomcat/5.0.28
where HSS_HOME is the location where Shared Services is installed, for example:
c:\Hyperion\SharedServices\9.2 on Windows or /home/username/Hyperion/SharedServices/9.2 on UNIX
2 Add the following entry at the end of the file:

sslEnabled=true Note: Delete this entry when Shared Services HSS is running on HTTP .
101
102
Chapter
11
Using the Hyperion Remote Authentication Module
This chapter explains the purpose of the Hyperion Remote Authentication Module and provides instructions for setting it up and starting it. Hyperion Remote Authentication Module is an optional component for external authentication.
In This Chapter
About the Hyperion Remote Authentication Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Installing the Remote Authentication Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Configuring and Starting the Remote Authentication Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
103
About the Hyperion Remote Authentication Module

The Hyperion Remote Authentication Module, formerly called the NTLM Remote Server, can be installed from the Hyperion Download Center. Installing and running the Hyperion Remote Authentication Module can be useful to the following groups:

UNIX application users who must log on using a Windows NTLM domain Windows users who must log on using multiple Windows NTLM domains when no trust relationships are set up
Note: Earlier releases of Hyperion applications employing Hyperion Remote Authentication Module 7.0 return an incorrect list of users and groups if the domain element is specified in the configuration file. To avoid this situation, use only Hyperion Remote Authentication Module 7.2.x or later with 7.2.x or later of Hyperion Hub or Hyperion Shared Services. For earlier releases of Hyperion Hub, continue to use Remote Authentication Module 7.0.
UNIX Application Support for NTLM

In the following deployment scenario, the Hyperion Remote Authentication Module enables communication between NTLM and a UNIX-based application:
The configuration file resides on the application server, as do the Hyperion application binaries. The NTLM support library file (css-2_6_x.dll) is also required for NTLM connectivity. You must configure for external authentication as described in Chapter 10, Configuring External Authentication for Shared Services. The NTLM Primary Domain Controller can be on a Windows 2000 server. The Hyperion Remote Authentication Module should be on a Windows 2000 server. Combining the Remote Authentication Module with the NTLM Primary Domain Controller is not recommended. The Remote Authentication Module computer needs to be in the same domain as the NTLM Primary Domain Controller.
104
Multiple-Domain Support for NT LAN Manager

Hyperion Remote Authentication Module enables a Hyperion product to authenticate users belonging to other domains that are not trusted by the domain on which the Hyperion product is installed. This removes the necessity to establish trust relationships among the domains. In the following deployment scenario, the Hyperion Remote Authentication Module enables users of a Hyperion product to authenticate using one of two domains:
Without the Hyperion Remote Authentication Module, the only way to use multiple domains for a Hyperion product is to establish trust relationships, as shown in the following figure:
About the Hyperion Remote Authentication Module
105
Installing the Remote Authentication Module

On a Windows 2000 server, install the Hyperion Remote Authentication Module. The installation program, setup.exe, is available on the Oracle E-Delivery site.
To install the Hyperion Remote Authentication Module:

1 Run setup.exe. 2 Select the language to use. 3 On the Welcome page, click Next. 4 Accept the license agreement and click Next. 5 Choose a destination location for Hyperion Remote Authentication Module and click Next. Hyperion
recommends you accept the default location.
6 Provide a value for the HYPERION_HOME environment variable. Hyperion recommends you accept the
default location.
7 Enter the host name and port number for the computer hosting the Hyperion Remote Authentication
Module. The default port number is 58000.
8 If you are using Secure Sockets Layer with your NTLM deployment, select the option to support SSL.
For SSL configuration, you must provide a value for the <authProtocol></authProtocol> element in the security platform configuration XML file shipped with Shared Services (or alternately, the file shipped with an individual Hyperion product). See Setting Authorization Type (Optional) on page 79.
Note: Hyperion Remote Authentication Module does not support SSL connections on AIX.
9 Click Next. 10 Review the summary of your installation choices, and click Next to begin the installation. 11 Click Finish to complete the installation.
Configuring and Starting the Remote Authentication Module

Before using the Hyperion Remote Authentication Module, complete the following additional
steps:
1 On the computer hosting the Hyperion products that connect to Hyperion Remote Authentication Module,
modify the values in the <location> tags in the <remoteServer> section of the configuration file, to tell the application where to find the Remote Authentication Module.
You must provide a value for the <remoteServer></remoteServer> element in the external authentication configuration XML file shipped with Shared Services (or alternately, with each Hyperion product).
106
2 Run the remote authentication module by selecting Start > Programs > Hyperion > Foundation Services >
Hyperion Remote Authentication Module > Run Authentication Server.
Configuring and Starting the Remote Authentication Module
107
108
Chapter
12
In This Chapter
Sample External Authentication Deployment Scenarios
This chapter contains sample external authentication deployment scenarios.
Single LDAP Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Single Microsoft Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 UNIX Application and Single NTLM Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Windows Application and Single NTLM Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 UNIX Application Against LDAP MSAD, and NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 , Windows Application Against LDAP, MSAD, and NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Multiple MSAD Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Multiple LDAP Directory Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Multiple NTLM Domains with Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Multiple Untrusted NTLM Domains Connected with Hyperion Remote Authentication Module . . . . . . . . . . . . . . . . . 119 Single Sign-On with SiteMinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Deployment References from LDAP Product Vendors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
109
Single LDAP Directory

The following figure illustrates a deployment scenario using LDAP:
The configuration file resides on the Shared Services server. The configuration for external authentication should be done from the Shared Services External Authentication Configuration Console, as described in Chapter 10, Configuring External Authentication for Shared Services. The application server can be on UNIX, Windows 2000 server, or Windows 2003 server. The directory server can be on UNIX, Windows 2000 server, or Windows 2003 server. A secure SSL connection can be used. The directory server and the application server can be combined into one server. In such a scenario, the application binaries and the directory server binaries reside on one server. In the single LDAP directory scenario:

All users must use one prefix, such as cn or uid. All groups must use one prefix, such as cn or ou. Referrals are not supported. Users and groups should exist under nodes, such as ou=People and ou=Groups, for optimal data-retrieval performance.
A sample corporate directory schema follows:
110
Single Microsoft Active Directory

The following figure illustrates a deployment scenario using MSAD:
The configuration file resides on the Shared Services server. The configuration for external authentication should be done from the Shared Services External Authentication Provider Configuration Console, as described in Chapter 10, Configuring External Authentication for Shared Services. The application server can be on UNIX, Windows 2000 server, or Windows 2003 server. The directory server must be on a Windows 2000 or 2003 server. A secure SSL connection can be used. The directory server and the application server can be combined into one server. In this scenario, the application binaries and the directory server binaries reside on one server. In the single MSAD scenario:

All users must use one prefix, such as cn or uid. All groups must use one prefix, such as cn or ou. Referrals are supported, if configuration enables it as described in Adding Referral Support (Optional, MSAD Only) on page 94. Users and groups should exist under nodes, such as cn=Users, for optimal data-retrieval performance.
A sample corporate directory schema follows:
Single Microsoft Active Directory
111
UNIX Application and Single NTLM Domain

The following figure illustrates a deployment scenario in which a UNIX-based application accesses information from a Windows NTLM domain controller. This implementation depends also on the Hyperion Remote Authentication Module, which must be configured and running on a Windows server. The Remote Authentication Module can be installed from the Hyperion Download Center. The Remote Authentication Module is needed because the external authentication mechanism depends on the NTLM support library file (DLL) for NTLM authentication, and DLLs are not supported on UNIX.
Note: The Hyperion Remote Authentication Module enables communication between NTLM and a UNIX-based application. Install the Remote Authentication Module from the Hyperion Download Center.
The configuration file resides on the Shared Services server. The configuration for external authentication should be done from the Shared Services External Authentication Provider Configuration Console, as described in Chapter 10, Configuring External Authentication for Shared Services. The NTLM support library file (DLL) file is required for the NTLM connectivity. The application server is assumed to be on UNIX, requiring the Hyperion Remote Authentication Module to enable NTLM authentication. The NTLM Primary Domain Controller server can be on a Windows 2000 server or a Windows 2003 server. The Hyperion Remote Authentication Module should be on a Windows 2000 server or a Windows 2003 server. Combining the Remote Authentication Module with the NTLM Primary Domain Controller server is not recommended. The Remote Authentication Module computer must be in the same domain as the NTLM Primary Domain Controller server.
112
The security platform can communicate over a secure medium such as Secure Sockets Layer (SSL) with the Hyperion Remote Authentication Module. If you must use SSL, select the SSL option when installing the Hyperion Remote Authentication Module. For complete installation instructions, see Chapter 11, Using the Hyperion Remote Authentication Module.
Windows Application and Single NTLM Domain

The following figure illustrates a deployment scenario in which a Windows-based application accesses information from a Windows NTLM domain controller:
The configuration file resides on the Shared Services server. The configuration for external authentication should be done from the Shared Services External Authentication Provider Configuration Console, as described in Chapter 10, Configuring External Authentication for Shared Services. The NTLM support library file (DLL) file is required for the NTLM connectivity. The NTLM Primary Domain Controller server can be on a Windows 2000 server or a Windows 2003 server.
Windows Application and Single NTLM Domain
113
UNIX Application Against LDAP, MSAD, and NTLM

The following figure illustrates a deployment scenario in which a UNIX-based application accesses information from multiple directory stores. The Hyperion Remote Authentication Module is required for access to the Windows NTLM domain. Configuration of the search order is important in this scenario.
Note: The Hyperion Remote Authentication Module enables communication between NTLM and a UNIX-based application. Install the Remote Authentication Module from the Hyperion Download Center. For installation instructions, see Chapter 11, Using the Hyperion Remote Authentication Module.
114
Windows Application Against LDAP, MSAD, and NTLM

The following figure illustrates a deployment scenario in which a Windows-based application accesses information from multiple directory stores:
The configuration file resides on the Shared Services server. The configuration for external authentication should be done from the Shared Services External Authentication Provider Configuration Console, as described in Chapter 10, Configuring External Authentication for Shared Services. The NTLM support library file (DLL) file is required for the NTLM connectivity. The configuration for external authentication should be done as described in the rest of this document. The NTLM Primary Domain Controller can be on a Windows 2000 server or a Windows 2003 server. For LDAP-compatible directories, a secure SSL connection can be used. The configuration of the search order property in the XML configuration file determines the order in which each directory store receives requests for information from the application. For example, the first instance of a requested user found while going through the search order is the instance used by the external authentication mechanism to retrieve and return information about the user to the application. Therefore, although three directories can host user information, it is recommended user information not be duplicated across the directories. Duplication can lead to the incorrect user object being authenticated. For information about configuring the search order, see Setting the Search Order on page 86.
Windows Application Against LDAP, MSAD, and NTLM
115
Multiple MSAD Instances

The following figure illustrates a deployment of multiple MSAD instances holding user authentication information:
The configuration file resides on the Shared Services server. The configuration for external authentication should be done from the Shared Services External Authentication Provider Configuration Console, as described in Chapter 10, Configuring External Authentication for Shared Services. To enable the application server to enable authentication from the directory servers shown in the preceeding figure, the directory servers must be indicated in the search order. The most frequently used directory should be indicated first in the search order. For information about configuring the search order, see Setting the Search Order on page 86. A secure SSL connection can be used.
116
Multiple LDAP Directory Instances

The following figure illustrates a deployment of multiple LDAP instances holding user authentication information:
The configuration file resides on the Shared Services server. The configuration for external authentication should be done from the Shared Services External Authentication Provider Configuration Console, as described in Chapter 10, Configuring External Authentication for Shared Services. To enable the application server to enable authentication from the directory servers shown the preceeding figure, the directory servers must be indicated in the search order. The most frequently used directory should be indicated first in the search order. For information about configuring the search order, see Setting the Search Order on page 86. A secure SSL connection can be used.
Multiple LDAP Directory Instances
117
Multiple NTLM Domains with Trust Relationships

When there are multiple Windows NTLM domains which hold user authentication information, one solution is to establish trust relationships among the domains, as shown in the following figure:
The configuration file resides on the Shared Services server. The configuration for external authentication should be done from the Shared Services External Authentication Provider Configuration Console, as described in Chapter 10, Configuring External Authentication for Shared Services. The NTLM support library file (DLL) file is required for the NTLM connectivity. The configuration for external authentication should be done as described in the rest of this document. The NTLM Primary Domain Controllers can be on Windows 2000 or Windows 2003 servers.
118
Multiple Untrusted NTLM Domains Connected with Hyperion Remote Authentication Module
When there are multiple Windows NTLM domains holding user authentication information, an additional solution is to link the domains using the Hyperion Remote Authentication Module (compare to the scenario described in Multiple NTLM Domains with Trust Relationships on page 118). This scenario eliminates the necessity of establishing trust relationships among the domains, as shown in the following figure:
The Hyperion Remote Authentication Module gives users of Hyperion applications on Windows the ability to log on using multiple domains, without the need for the administrator to create trust relationships among the domains. In the preceeding figure, Windows users can log on using domain D2 in addition to the more commonly used domain D1, because the Hyperion Remote Authentication Module is running, giving access to domain D2. Note that D1 does not trust D2. The configuration file resides on the Shared Services server. The configuration for external authentication should be done from the Shared Services External Authentication Provider Configuration Console as described in Chapter 10, Configuring External Authentication for Shared Services. The NTLM support library file (DLL) file is required for the NTLM connectivity. The NTLM Primary Domain Controllers can be on Windows 2000 or Windows 2003 servers. The security platform can communicate over a secure medium such as Secure Sockets Layer (SSL) with the Hyperion Remote Authentication Module. If you must use SSL, select the SSL option when installing the Hyperion Remote Authentication Module. For complete installation instructions, see Chapter 11, Using the Hyperion Remote Authentication Module.
Multiple Untrusted NTLM Domains Connected with Hyperion Remote Authentication Module
119
Single Sign-On with SiteMinder

SiteMinder is a Web access management solutions provider sometimes employed by companies to manage and enforce authentication, authorization, and single sign-on for company Web resources. The Hyperion security platform enables single sign-on for a user into a Web-based Hyperion application without challenging the user for credentials, as long as SiteMinder authenticates the user. Integration with SiteMinder requires configuration of the <securityAgent></securityAgent> element in the XML configuration file.
Note: If your corporation uses a security agent to protect company Web resources, the corporate authentication repository (for example, LDAP, MSAD, or NTLM) must be trusted, because the Hyperion security platform does not store a password in the token when a security agent is used.
The following figure illustrates a scenario enabling single sign-on with SiteMinder and a Hyperion application:
The Hyperion application trusts the authentication and authorization information sent by SiteMinder with regards to the protected resources on the directory server. Therefore, the Hyperion security platform supports Tier 1 integration with SiteMinder. The Web agent is installed on a Web server that intercepts requests for the Hyperion applications Web resources, such as JSP, ASP, or HTML files on the application server. If these Web resources are protected, the Web agent issues a challenge for unauthenticated users. When the user is authenticated, the policy server adds to the HTTP headers another header, named HYPLOGIN, whose value is the login name of the authenticated user. Thereafter, the HTTP
120
request is passed on to the Web resources of the Hyperion application, and the login name is extracted from the headers. For more details on configuring the header HYPLOGIN and populating it, see Configuring SiteMinder Single Sign-On on page 96.
Deployment References from LDAP Product Vendors

Sun ONE Directory Server 5.2 Deployment Guide:
http://docs.sun.com/app/docs/doc/816-6700-10
iPlanet Directory Deployment Guide for v5.1:

http://192.18.99.138/816-5609-10/816-5609-10.pdf
iPlanet Directory Deployment Guide for v4.16:

http://192.18.99.138/816-6679-10/816-6679-10.pdf
Active Directory Deployment Guide:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologi es/activedirectory/deploy/default.mspx
Deployment References from LDAP Product Vendors
121
122
APPENDIX
A
In This Chapter
Manual Deployment to WebSphere Application Server
Location References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Basic Deployment Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Detailed Deployment Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Modifying Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
123
Location References
The procedures in this section use the following location references to refer to the directories on your system:
<WAS_HOME> is the installation directory of the WebSphere server; for example, C:\IBM \WebSphere\AppServer (Windows) or /opt/websphere (UNIX). <HSS_HOME> is the directory in which you installed Shared Services. <HYPERION_HOME> is the directory you specified during the Hyperion product installation.
Note: Unless noted specifically in this chapter, forward slashes in directory paths apply to both Windows and UNIX.
Prerequisites
Complete these tasks before beginning:
Install WebSphere application server and ensure it is running (see the WebSphere documentation). In WebSphere, create a profile and a server. Install Shared Services to the same computer as the application server (see Chapter 4, Installing and Upgrading Shared Services).
Note: Shared Services cannot be installed to directories with names containing spaces; for example, the Program Files directory.
After installation, run Hyperion Configuration Utility to configure Shared Services. Select the database configuration and application server deployment tasks. Provide the database information, and then select the manual deployment option on the Application Server selection panel. Selecting the manual deployment option copies the necessary files to:
<HSS_HOME>/AppServer/InstalledApps/WebSphere/5.1 (for WebSphere 5.1) <HSS_HOME>/AppServer/InstalledApps/other (for WebSphere 6.1)
Basic Deployment Instructions

This section provides high-level instructions for manually deploying to WebSphere 5.1.1.7 or WebSphere 6.1 application servers. See Location References on page 124 for the list of location references used in this section to refer to the directories on your system. For detailed manual deployment instructions, see Detailed Deployment Instructions on page 127.
Define Environment Variables

Create the following application server environment variables:
124
HYPERION_HOME: Set the value to the <HYPERION_HOME> directory you specified during the Hyperion product installation. HSS_HOME: Set the value to the <HSS_HOME> directory you specified during the Shared Services installation.
Create the Shared Library

Create the Hyperion Shared Services shared library at the server level and add these libraries to the Hyperion Shared Services library.
WebSphere 5.1.1.7
Windows:
${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1 ${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\HubProductBean.jar ${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\commonscollections-3.1.jar ${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\commons-dbcp.jar ${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\commons-pool.jar ${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\hyjdbc.jar ${HYPERION_HOME}\common\XML\JDOM\0.8.0\jdom.jar ${HYPERION_HOME}\common\JDBC\DataDirect\3.6\lib ${HYPERION_HOME}\common\SAP\lib
On Windows, add the following path to the Native Library Path field:
<HYPERION_HOME>\common\CSS\9.2.1.0\bin
UNIX:
${HSS_HOME}/AppServer/InstalledApps/WebSphere/5.1 ${HSS_HOME}/AppServer/InstalledApps/WebSphere/HubProductBean.jar ${HSS_HOME}/AppServer/InstalledApps/WebSphere/commons-collections3.1.jar ${HSS_HOME}/AppServer/InstalledApps/WebSphere/commons-dbcp.jar ${HSS_HOME}/AppServer/InstalledApps/WebSphere/commons-pool.jar ${HSS_HOME}/AppServer/InstalledApps/WebSphere/hyjdbc.jar ${HYPERION_HOME}/common/XML/JDOM/0.8.0/jdom.jar ${HYPERION_HOME}/common/JDBC/DataDirect/3.6/lib ${HYPERION_HOME}/common/SAP/lib
WebSphere 6.1
Windows:
${HSS_HOME}\AppServer\InstalledApps\other
125
${HSS_HOME}\AppServer\InstallableApps\other\HubProductBean.jar ${HYPERION_HOME}\common\JDBC\DataDirect\3.6\lib\hyjdbc.jar ${HSS_HOME}\AppServer\InstalledApps\other\commons-collections3.1.jar ${HSS_HOME}\AppServer\InstalledApps\other\commons-dbcp.jar ${HSS_HOME}\AppServer\InstalledApps\other\commons-pool.jar ${HYPERION_HOME}\common\XML\JDOM\0.8.0\jdom.jar ${HYPERION_HOME}\common\JDBC\DataDirect\3.6\lib ${HYPERION_HOME}\common\SAP\lib
UNIX:
${HSS_HOME}/AppServer/InstalledApps/other ${HSS_HOME}/AppServer/InstallableApps/other/HubProductBean.jar ${HYPERION_HOME}/common/JDBC/DataDirect/3.6/lib/hyjdbc.jar ${HSS_HOME}/AppServer/InstalledApps/other/commons-collections3.1.jar ${HSS_HOME}/AppServer/InstalledApps/other/commons-dbcp.jar ${HSS_HOME}/AppServer/InstalledApps/other/commons-pool.jar ${HYPERION_HOME}/common/XML/JDOM/0.8.0/jdom.jar ${HYPERION_HOME}/common/JDBC/DataDirect/3.6/lib ${HYPERION_HOME}/common/SAP/lib
Add a Transport Chain

Use the WebSphere administrative console to create a new transport chain. You must specify the following information:

A port name (for example, HSS) The host name (you can enter *) or IP address for that port The port number under which Shared Services is going to run
Deploy the WAR File

Deploy the Shared Services WAR file, interop.war. The interop.war file is in the following location (Windows and UNIX):
<HSS_HOME>/AppServer/InstalledApps/other/interop.war (for WebSphere 6.1) <HSS_HOME>/AppServer/InstalledApps/WebSphere/5.1/interop.war (for
WebSphere 5.1)
126
Override Session Management

Check Override Session Management to override the server setting.
Change the HTTP Cookie Name

Ensure HTTP cookies are enabled and change the cookie name to HUBSESSIONID.
Increase JVM Memory

If sharing large models, you must increase the amount of memory WebSphere allocates for the JVM. For instructions, see Increasing the Memory Allocation for JVM on page 133.
Modify Configuration Files

For instructions, see Modifying Configuration Files on page 137.
Note: For WebSphere 5.1.1.7, you also need to replace a jdom.jar file. See Detailed Deployment Instructions on page 127.
Detailed Deployment Instructions

WebSphere 5.1.1.7
This section provides detailed instructions for manually deploying to WebSphere 5.1.1.7 application server. See Location References on page 124 for the list of location references used in this section to refer to the directories on your system. Before you begin deploying, review the Prerequisites on page 124.
To manually deploy Shared Services to WebSphere application server:

1 Start the WebSphere server. 2 Log on as the administrator to the WebSphere Administration Console using this URL:
http://servername:portno/ibm/console
For servername and portno, enter the server and port on which WebSphere is running. The default location is http://localhost:9090/ibm/console.
3 Create the HYPERION_HOME and HSS_HOME WebSphere environment variables:

a. In the left frame, select Environment > Manage WebSphere Variables. b. Select the server scope, click New, and create the following variables:
HYPERION_HOME: Set the value to the <HYPERION_HOME> directory you specified during installation.
127
HSS_HOME: Set the value to the <HSS_HOME> directory you specified during installation.
4 Create a new shared library called Hyperion Shared Services Libraries:

a. In the left frame, select Environment > Shared Libraries. b. Select the server scope and click New. c. Name the shared library Hyperion Shared Services Libraries, and add the following libraries to the shared library:
Libraries (Windows):
${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1 ${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\HubProductBean. jar ${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\commonscollections-3.1.jar ${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\commonsdbcp.jar ${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\commonspool.jar ${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\hyjdbc.jar ${HYPERION_HOME}\common\XML\JDOM\0.8.0\jdom.jar ${HYPERION_HOME}\common\JDBC\DataDirect\3.6\lib ${HYPERION_HOME}\common\SAP\lib
Libraries (UNIX):
${HSS_HOME}/AppServer/InstalledApps/WebSphere/5.1 ${HSS_HOME}/AppServer/InstalledApps/WebSphere/HubProductBean.jar ${HSS_HOME}/AppServer/InstalledApps/WebSphere/commonscollections-3.1.jar ${HSS_HOME}/AppServer/InstalledApps/WebSphere/commons-dbcp.jar ${HSS_HOME}/AppServer/InstalledApps/WebSphere/commons-pool.jar ${HSS_HOME}/AppServer/InstalledApps/WebSphere/hyjdbc.jar ${HYPERION_HOME}/common/XML/JDOM/0.8.0/jdom.jar ${HYPERION_HOME}/common/JDBC/DataDirect/3.6/lib ${HYPERION_HOME}/common/SAP/lib
d. Click OK.
5 Create or update virtual hosts:

a. In the left frame, select Environment > Virtual Hosts. b. Select default host and click New. By default, Shared Services is configured to run on port 58080. c. Create or update a Virtual Host by defining a Host Alias for port 58080. For details, please refer to the WebSphere documentation.
128
6 Deploy the .WAR file:

a. In the left frame, select Applications > Enterprise Applications. b. Click Install. c. Navigate to this location (Windows and UNIX):
<HSS_HOME>/AppServer/InstalledApps/WebSphere/5.1/interop.war
d. Set the context root to interop, click Next.
Caution! Once you set the context root to interop, do not modify.
e. Click Next and then accept the defaults on the following screens until the Install New Application screen. f. Select the virtual host of your choice and select Hyperion System 9 Shared Services, click Next, then click Finish.
g. For Map modules to application servers, select Hyperion System 9 Shared Services, click Next, then click Finish. h. After the confirmation message about a successful deployment is displayed, click Save to Master Configuration.
7 Add a transport chain:

a. In the left frame, select Servers > Application servers > <server_name>. b. Under Additional Properties, click Web Container. c. Click HTTP transports and click New. d. Specify a port name (for example, HSS), the host name (you can enter *) or IP address for that port, and the port number under which Shared Services is going to run. e. Click OK.
8 Update Java Virtual Machine custom properties:

a. In the left frame, select Servers > Application Servers > <servername>. b. Scroll down and click Process Definition. c. Scroll down and click Java Virtual Machine. d. Scroll down to Additional Properties and then click Custom Properties. e. Click New. f. Update the name to "hyperion.home" and the value to <HYPERION_HOME>.
g. Click OK.
9 Reference the Shared Library:

a. In the left frame, select Applications > Enterprise Applications. b. Select interop.war. c. Under General Properties, change the Classloader Mode setting to PARENT_LAST.
129
d. Set a reasonable value for Reload Interval and then click OK. e. Under Additional Properties, select Libraries. f. Click Add and then select Hyperion Shared Services Libraries, and then click OK.
10 Override session management:

a. In the left frame, select Applications > Enterprise Applications and in the right frame, click interop.war. b. In Additional Properties, click Session Management. c. Check Overwrite to overwrite the server setting. d. Select Enable Cookies, change the cookie name to HUBSESSIONID, and click Apply.
11 Select the Save command in the top menu bar to save the entire configuration. 12 Replace the jdom.jar file:
a. Locate the jdom.jar file in <WAS_HOME>/lib and rename it to jdom.jar_ori. b. Copy the jdom-b9.jar from:
<HSS_HOME>/AppServer/InstalledApps/WebSphere/5.1/
to
<WAS_HOME>/lib
13 Modify configuration files. For instructions, see Modifying Configuration Files on page 137. 14 Stop the WebSphere server application.
WebSphere is now configured to run Shared Services.
15 Start the WebSphere server application. 16 Log on User Management Console using this URL:
http://ServerName:ServerPort/interop; for example, http://localhost:58080/interop.
WebSphere 6.1
This section provides detailed instructions for manually deploying to WebSphere 6.1 application server. See Location References on page 124 for the list of location references used in this section to refer to the directories on your system. Before you begin deploying, review the Prerequisites on page 124.
To manually deploy Shared Services to WebSphere application server:

1 Start the WebSphere server. 2 Log on as the administrator to the WebSphere Administration Console using this URL:
http://servername:portno/ibm/console
For servername and portno, enter the server and port on which WebSphere is running. The default location is http://localhost:9060/ibm/console.
3 Create the HYPERION_HOME and HSS_HOME WebSphere environment variables:
130
a. In the left frame, select Environments > WebSphere Variables. b. Select the server scope, click New, and create the following variables:
HYPERION_HOME: Set the value to the <HYPERION_HOME> directory you specified during installation. HSS_HOME: Set the value to the <HSS_HOME> directory you specified during installation.
4 Create a new shared library called Hyperion Shared Services Libraries:

a. In the left frame, select Environment > Shared Libraries. b. Select the server scope and click New. c. Name the shared library Hyperion Shared Services Libraries, and add the following libraries to the shared library:
Libraries (Windows):
${HSS_HOME}\AppServer\InstalledApps\other ${HSS_HOME}\AppServer\InstallableApps\other\HubProductBean.jar ${HYPERION_HOME}\common\JDBC\DataDirect\3.6\lib\hyjdbc.jar ${HSS_HOME}\AppServer\InstalledApps\other\commons-collections3.1.jar ${HSS_HOME}\AppServer\InstalledApps\other\commons-dbcp.jar ${HSS_HOME}\AppServer\InstalledApps\other\commons-pool.jar ${HYPERION_HOME}\common\XML\JDOM\0.8.0\jdom.jar ${HYPERION_HOME}\common\JDBC\DataDirect\3.6\lib ${HYPERION_HOME}\common\SAP\lib
Libraries (UNIX):
${HSS_HOME}/AppServer/InstalledApps/other ${HSS_HOME}/AppServer/InstallableApps/other/HubProductBean.jar ${HYPERION_HOME}/common/JDBC/DataDirect/3.6/lib/hyjdbc.jar ${HSS_HOME}/AppServer/InstalledApps/other/commons-collections3.1.jar ${HSS_HOME}/AppServer/InstalledApps/other/commons-dbcp.jar ${HSS_HOME}/AppServer/InstalledApps/other/commons-pool.jar ${HYPERION_HOME}/common/XML/JDOM/0.8.0/jdom.jar ${HYPERION_HOME}/common/JDBC/DataDirect/3.6/lib ${HYPERION_HOME}/common/SAP/lib
d. Click OK.
5 Create or update virtual hosts:

a. In the left frame, select Environment > Virtual Hosts. By default, Shared Services is configured to run on port 58080. b. Create or update a Virtual Host by defining a Host Alias for port 58080.
131
For details, please refer to the WebSphere documentation.
6 Deploy the .WAR file:

a. In the left frame, select Applications > Enterprise Applications. b. Click Install. c. Navigate to this location (Windows and UNIX):
<HSS_HOME>/AppServer/InstalledApps/other/interop.war (for WebSphere 6.1) <HSS_HOME>/AppServer/InstalledApps/WebSphere/5.1/interop.war (for
WebSphere 5.1) d. Set the context root to interop, click Next.
Caution! Once you set the context root to interop, do not modify.
e. Click Next to accept the defaults. f. Select the virtual host of your choice and select Hyperion Shared Services, click Next, then click Finish.
g. After the Application Server is Successfully Deployed confirmation message is displayed, click Save to Master Configuration.
7 Add a transport chain:

a. In the left frame, select Servers > Application servers > <server_name>. b. Under Web container settings, click Web container transport chains. c. Click New. The Create New Transport Chain wizard initializes. Specify the following information:

A name for the new chain (for example, HSS). A transport chain template (for security). A port name (for example, HSS), the host name (you can enter *) or IP address for that port, and the port number under which Shared Services is going to run.
d. Click Finish.
8 Update JVM custom properties:

a. In the left frame, select Servers > Application Servers > <servername>. b. Select Java and Process Management > Process Definition > Java Virtual Machine > Custom Properties. c. Define a custom property with key "hyperion.home" and value <HYPERION_HOME>.
9 Reference the Shared Library:

a. In the left frame, select Applications > Enterprise Applications. b. Select interop.war. c. Under Detail Properties, select Class loading and update detection.
132
d. For Class Loader Order, select Class loaded with Application Class loader first. e. Set a reasonable value for Polling interval and then click OK. f. Under References, select Shared Library References.
g. Select the Hyperion System 9 Shared Services Module and click Reference Shared Libraries. h. Select the Hyperion Shared Services Libraries Shared Library. Then click OK.
10 Override session management:

a. In the left frame, select Enterprise Applications and in the right frame, click interop.war. b. In Web Module Properties, click Session Management. c. Check Override Session Management to override the server setting. d. Select Enable Cookies, change the cookie name to HUBSESSIONID, and click Apply.
11 Select the Save command in the top menu bar to save the entire configuration. 12 Modify configuration files. For instructions, see Modifying Configuration Files on page 137. 13 Stop the WebSphere server application.
WebSphere is now configured to run Shared Services.
14 Start the WebSphere server application. 15 Log on User Management Console using this URL:
http://ServerName:ServerPort/interop; for example, http://localhost:58080/interop.
Increasing the Memory Allocation for JVM

If you share large models, you must increase the amount of memory WebSphere allocates for JVM.
To increase the WebSphere memory allocation for JVM:

1 Log on as the administrator to the WebSphere Administration Console by opening a browser and setting
the address to http://servername:portno/admin where servername and portno are the server and port (specified during installation) on which the WebSphere server is running.
The default location is http://localhost:58080/admin.
2 In the left frame, select Servers > Application Servers; in the right frame, select SharedServices9 (or if
you installed manually, select the server to which you installed Shared Services).
3 Select Additional Properties Process Definition. 4 Select Additional Properties Java Virtual Machine. 5 Set Initial Heap Size to 128. (Size is in megabytes.) 6 Set Maximum Heap Size to as much memory as you can allocate for the computer.
Hyperion recommends a setting of 1024. (Size is in megabytes.)
133
7 Click OK. 8 Click OK. 9 Select the Save menu command. 10 Restart the Shared Services server.
Troubleshooting the WebSphere Application Server Configuration

If you are unable to start Shared Services, follow the procedure in this section to troubleshoot the WebSphere server configuration.
To troubleshoot the WebSphere server configuration:

1 Start the WebSphere server.
In most cases this is the WebSphere default server: server1. Type the following text at the command prompt: startServer server1 (Windows) or ./startServer.sh server1 (UNIX)
2 Log on as the administrator to the WebSphere Administration Console using this URL:
http://servername:portno/admin
For servername and portno, enter the server and port on which WebSphere is running. The default location is http://localhost:9060/admin.
3 In the left frame, open the Servers folder, click Application Servers, and verify there is a server named
SharedServices9.
4 In the left frame, open the Environment folder, click Manage Websphere Variables, and ensure the context
is set to Cell=DefaultNode, Node=DefaultNode.
5 Ensure the HYPERION_HOME environment variable is set and that it points to the correct directory. If it
does not exist, create it.
6 In the left frame, open the Environment folder, click Virtual Hosts, and verify there is a virtual host named
hyperionVirtualHost:
If there is no virtual host named hyperionVirtualHost, follow these steps: i. Click New.
ii. Enter the name hyperionVirtualHost and click OK. iii. Select the hyperionVirtualHost link. iv. In Additional Properties, select the Host Aliases link. Click Add. v. Enter a Host Name of *. vi. Enter the port number to use for Shared Services.
Note: Each application port number must be unique. If you modify a default port number, change it
to a port number not currently used.
134
vii. Click OK to create the Host Alias. viii. Click OK to save the changes to hyperionVirtualHost. ix. Select Save to save the change.
If there is a virtual host named hyperionVirtualHost: i. Select the hyperionVirtualHost link.
ii. In Additional Properties, select the Host Aliases link. iii. Select the link * and verify the port number is the one specified during Shared Services installation. This port number must not be used by other Web applications on your server. Take one of these actions:
If the port number is used by another application, correct the port number and click OK to save the change. If the port number is correct, click Cancel to return to the previous screen.
iv. Click OK to save the changes to hyperionVirtualHost. v. If you changed the port number, select Save Menu to save the change.
7 In the left frame, open the Environment folder, click Shared Libraries, and verify the scope is set as
follows:
Cell=DefaultNode, Node=DefaultNode, Server=SharedServices9
If the scope is not set correctly: a. Expand the scope section. b. Correct the information and click Apply to save the change.
8 Verify there is a shared library at the server level called Hyperion Shared Services Libraries:
If the shared library does not exist, follow the procedure in the configuration section for creating this shared library. If the shared library exists, click the Hyperion Shared Services Libraries link and verify there is a carriage return after each class path. Click OK. If the shared library exists but was accidentally created at the node level, rename the server level library set and link it to the interop.war file (see step 10).
9 In the left frame, open the Applications folder, click Enterprise Application, and verify there is an
application called adminconsole_SharedServices9.
If the application does not exist, you cannot use Hyperion Configuration Utility when the SharedServices9 server is running. You can do what you are doing now, which is to start the server1 server, make your changes, shut down server1 and start the SharedServices9 service.
10 In the left frame, open the Applications folder, click Enterprise Application, and verify there is an
application called interop.war:
If the interop.war application does not exist, create one: i. Click Install and navigate to the file: <HSS_HOME>/AppServer/InstallableApps/ common/WebSphere/<version>/interop.war.
ii. Set the context root to interop and click Next.
135
Caution! Once the context root is set to interop, do not modify.
iii. Click Next to accept the defaults on the Bindings page. iv. Click Continue on the Application Security Warning page. v. Click Next to accept the defaults. vi. Select hyperionVirtualHost and select Hyperion Shared Services. Click Next. vii. Select Hyperion Shared Services. viii. Select the Server WebSphere: cell=DefaultNode, node=DefaultNode, and server=SharedServices9. Click Apply to move it to the Hyperion Shared Services Server. ix. Click Next. Click Finish. x. Select Save to Master Configuration and click Save. xi. In the left frame, open the Applications folder and click Enterprise Application.
If the interop.war application exists or if you just installed the interop.war application: i. Select the interop.war link.
ii. Select the Additional Properties Libraries link. iii. If the Hyperion Shared Services Libraries link is not displayed, click Add, select Hyperion Shared Services Libraries, and click OK. iv. Select Additional Properties Session Management. v. Select Enable Cookies and ensure the cookie name is set to HUBSESSIONID. Click OK to return to the previous screen. vi. Ensure Override is selected. Click OK to return to the previous page. vii. Click OK to save your changes. viii. Select the Save menu command to save your changes to the Master Configuration, and click Save again to save the changes. ix. In the HubProductBean.jar file, remove the classes related to the jce1_2_2.jar file. These are classes that are part of the package structure 'javax/crypto/' from HubProductBean.jar.
11 Log off the Administration page and stop the application server. 12 Start the SharedServices9 Application Server by typing the following text at the command prompt:
startServer server1 (Windows) or ./startServer.sh server1 (UNIX).
13 In a Web browser, try to start the following Web page:

http://localhost:58080/interop/framework/login Note: Use the port number you specified during Shared Services installation.
136
If this page is not displayed, review the following log file:

<WAS_HOME>/WebSphere/AppServers/logs/server1/SystemOut.log
You can ignore most of the errors generated because you have yet to set up HUB. However, if the log file says it cannot find the Default.xml file, HUB cannot start and you must check whether it is because of one of these reasons:
The Hyperion Shared Services Libraries definition is incorrect and each class is not on its own line. The libraries are not defined for interop.war. The <HYPERION_HOME> environment variable is incorrect.
If after following these additional steps you still cannot start Shared Services, contact Hyperion Technical Support.
Modifying Configuration Files

This section details the files to modify. The values listed for driver classes, adapter classes, and URLs should be used to replace the values provided in the section Files To Modify on page 138.
Driver Classes

SQL Server: hyperion.jdbc.sqlserver.SQLServerDriver Oracle: hyperion.jdbc.oracle.OracleDriver DB2: hyperion.jdbc.db2.DB2Driver
Adapter Classes

SQL Server: org.apache.slide.store.impl.rdbms.SQLServerRDBMSAdapter Oracle: org.apache.slide.store.impl.rdbms.OracleRDBMSAdapter DB2: org.apache.slide.store.impl.rdbms.DB2RDBMSAdapter
URLs
For SQL Server:

jdbc:hyperion:sqlserver://hostname:1433;DatabaseName=databasename
For example,
jdbc:hyperion:sqlserver://user.hdc.net:1433;DatabaseName=hyperion
For Oracle:
jdbc:hyperion:oracle://hostname:1521;SID=SIDName
For example,
jdbc:hyperion:oracle://hyperion2003:1521;SID=ora92
For DB2:
137
jdbc:hyperion:db2://hostname:50000;DatabaseName=databasename; MaxPooledStatements=40;DynamicSections=3000
For example:
jdbc:hyperion:db2://user.hdc.net:50000;DatabaseName=HYPERION; MaxPooledStatements=40;DynamicSections=3000
Files To Modify
The following files require modification using the values provided in the previous section and in the following topics:

Domain.xml slide.properties CSS.xml scheduler.properties WorkflowEngine.properties
These files are located in:

<HSS_HOME>/AppServer/InstalledApps/WebSphere/5.1 (for WebSphere 5.1) <HSS_HOME>/AppServer/InstalledApps/other (for WebSphere 6.1)
Domain.xml
Change the following values to the values for your relational database:
<parameter name="driver">JDBC_DRIVER</parameter> <parameter name="adapter">JDBC_ADAPTER</parameter> <parameter name="url">JDBC_URL</parameter> <parameter name="user">DB_USERNAME</parameter> <parameter name="password">DB_PASSWORD</parameter>
For instance if you are using DB2:

<parameter name="driver">hyperion.jdbc.db2.DB2Driver</parameter> <parameter name="adapter">org.apache.slide.store.impl.rdbms. DB2RDBMSAdapter</parameter> <parameter name="url">jdbc:hyperion:db2://user.hdc.net:50000; DatabaseName=HYPERION;MaxPooledStatements=40;DynamicSections=3000 </ parameter> <parameter name="user">db2admin</parameter> <parameter name="password">MqEM/uFmOZucduv9jcWaAg==</parameter>
Change the value for css_config to a valid path for the CSS.xml file.
slide.properties
Change the value for org.apache.slide.domain to a valid path for the Domain.xml file. For example, if you are deploying to WebSphere 6, change the following value for org.apache.slide.domain:
138
org.apache.slide.domain=F:/cc/cms/server/AppServer/InstalledApps/ Tomcat/Base/Domain.xml
to this value:
org.apache.slide.domain=C:/Hyperion/SharedServices/9.2/AppServer/ InstalledApps/other/Domain.xml
CSS.xml
Ensure the hostname is used instead of localhost. The hostname is the name of the computer running OpenLDAP, not the computer running the Web server (if you have a Web server). Also ensure the correct port is being used for the OpenLDAP database. For example, change the following values:
<hub location="http://localhost:58080"> <dirPort>58089</dirPort> </hub>
to these values:
<hub location="http://hostname:58080"> <dirPort>58089</dirPort> </hub>
scheduler.properties
In the Configure Datasource section, update the following values for the database you are using. The following values apply if DB2 is used:
org.quartz.dataSource.myDS.driver = hyperion.jdbc.db2.DB2Driver org.quartz.dataSource.myDS.URL = jdbc:hyperion:db2://raghavr.hdc.net:50000;DatabaseName=JOYCE; MaxPooledStatements=40;DynamicSections=1000 org.quartz.dataSource.myDS.user = db2admin <database user name> org.quartz.dataSource.myDS.password = MqEM/uFmOZucduv9jcWaAg== <database password>
Values for Driver Class are listed in Driver Classes on page 137. Values for URLs are listed in URLs on page 137.
WorkflowEngine.properties
Update the following values for the database you are using. The following values apply if DB2 is used:
workflowEngine.jdbc.product=db2 workflowEngine.jdbc.driver=hyperion.jdbc.db2.DB2Driver workflowEngine.jdbc.url=jdbc:hyperion:db2://raghavr.hdc.net:50000; DatabaseName=JOYCE;MaxPooledStatements=40;DynamicSections=1000 workflowEngine.jdbc.user=db2admin <database user name>
139
workflowEngine.jdbc.password=MqEM/uFmOZucduv9jcWaAg== <database password>
Values for driver class are listed in Driver Classes on page 137. Values for URLs are listed in URLs on page 137. For the following field:
workflowEngine.jdbc.product=
use these values for the database you are using:

MySQL - mysql SQLServer - sqlserver Oracle - oracle DB2 - db2
140
APPENDIX
B
In This Appendix
Manual Deployment to WebLogic Application Server
Location References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Basic Deployment Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Detailed Deployment Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Modifying Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
141
Location References
<BEA_HOME> is the installation directory of the BEA WebLogic server; for example, C: \bea (Windows) or /opt/bea (UNIX). <HSS_HOME> is the directory in which you installed Shared Services. <HYPERION_HOME> is the directory you specified during the Hyperion product
installation.
<HSS_WL_HOME> is the location where Hyperion Configuration Utility puts the files
needed to manually deploy Shared Services:

<HSS_HOME>/AppServer/InstalledApps/WebLogic/8.1 (for WebLogic 8.1) <HSS_HOME>/AppServer/InstalledApps/other (for WebLogic 9.2) Note: Unless noted specifically in this chapter, forward slashes in directory paths apply to both Windows and UNIX.
Prerequisites
Install WebLogic application server and ensure it is running (see the application server documentation). Install the NodeManager service by running the installNodeMgrSvc.cmd script located in the <BEA_HOME>/server/bin directory and start the service after installation. Install Shared Services to the same computer as the application server (see Chapter 4, Installing and Upgrading Shared Services).
Note: Shared Services cannot be installed to directories with names containing spaces; for example, the Program Files directory.
After installation, run Hyperion Configuration Utility to configure Shared Services. Select the database configuration and application server deployment tasks. Provide the database information, and then select the manual deployment option on the Application Server selection panel. Selecting the manual deployment option copies the necessary files to:
<HSS_WL_HOME>
See Location References on page 142.

This section provides high-level instructions for manually deploying to WebLogic application server. You can manually configure BEA WebLogic versions 8.1.4 and 9.2. See Location References on page 142 for the list of location references used in this section to refer to the directories on your system.
142
For detailed manual deployment instructions, see Detailed Deployment Instructions on page 144.
Create a New WebLogic Domain

Create a new WebLogic domain or use an existing domain. Please refer to the BEA WebLogic documentation for instructions to create domains. Shared Services does not have any special requirements for creating domains.
Unpackage the WAR File and Copy Files

Note: See Location References on page 142 for the list of location references used in this section to refer to the directories on your system.
1 Create the following directory for unpackaging files:

<HSS_WL_HOME>/SharedServices9Domain/interop
2 Extract the contents of the interop.war file located in:

<HSS_HOME>/AppServer/InstallableApps/common
to:
3 For WebLogic 8.1:

a. Copy the following files from <HSS_WL_HOME> to
<HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF/lib

commons-logging.jar commons-dbcp.jar commons-pool.jar
b. Copy web.xml.weblogic.81 from <HSS_WL_HOME> to

<HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF and rename the file to web.xml.
c. Copy the jsp_servlet folder from

<HSS_WL_HOME>/precompiledJSPs/jsp_servlet to <HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF/classes.
4 For WebLogic 9.2:

a. Copy the following files from <HSS_WL_HOME> to

commons-pool.jar commons-dbcp.jar
b. Copy commons-logging.jar from

<HSS_HOME>/AppServer/InstallableApps/WebLogic/8.1 to <HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF/lib.
143
c. Rename the web.xml.weblogic.92 file in the

<HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF directory to web.xml.
d. Copy mimemappings.properties from <HSS_WL_HOME> to the config folder in the WebLogic domain location.
Deploy the Web Application Modules to the SharedServices Server

Install the interop deployment as an application to the SharedServices server. The interop.war file is located in the
<HSS_WL_HOME>/SharedServices9Domain/interop directory. See Location References
on page 142.

For instructions, see Modifying Configuration Files on page 147.
Update the Classpath

Add the classpath settings as specified in step 8 on page 146.
Copy/Modify Additional Files

See the Detailed Deployment Instructions on page 144 for additional steps.

This section provides detailed instructions for deploying to WebLogic application server. You can manually configure BEA WebLogic versions 8.1.4 and 9.2. See Location References on page 142 for the list of location references used in this section to refer to the directories on your system. Before you begin deploying, review the Prerequisites on page 142.
To configure the WebLogic server for Shared Services:

1 Launch the BEA WebLogic Configuration Wizard. 2 Create a new WebLogic domain, or use an existing domain.
Please refer to the BEA WebLogic documentation for instructions to create domains. Shared Services does not have any special requirements for creating domains.
3 Start WebLogic by running startWebLogic.cmd on Windows or startWebLogic.sh on UNIX,

located in the WebLogic domain location.
144
4 Log on to WebLogic Administration Console:

a. Open a browser and set the address to http://localhost:portno/console where portno is the port (specified during installation) on which the WebLogic server is running. b. Use the username and password you specified earlier in this procedure.
5 Create a new server:

a. On the left-hand side of the screen, select Servers and then the option to configure a new server. Enter the server name as SharedServices and the server listen port as 58080 and save the changes.
Note: For WebLogic 9.2, select the option to create a stand-alone server.
b. On the left-hand side of the screen, select Machines and then the option to configure a new machine. Enter the name of the machine where WebLogic is installed and save the changes.
Note: The NodeManager service must be running on the computer where WebLogic is installed.
c. Select Servers and click SharedServices. Select the machine name that was created in the previous step and save the changes.
6 Unpackage and copy files (Windows and UNIX):

Note: See Location References on page 142 for the list of location references used in this section to refer to the directories on your system.
a. Create the following directory for unpackaging files:

b. Extract the contents of the interop.war file located in:

to:
c. For WebLogic 8.1: i. Copy the following files from <HSS_WL_HOME> to


commons-logging.jar commons-dbcp.jar commons-pool.jar
ii. Copy web.xml.weblogic.81 from <HSS_WL_HOME> to

<HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF and rename the
file to web.xml.
145
iii. Copy the jsp_servlet folder from

<HSS_WL_HOME>/precompiledJSPs/jsp_servlet to <HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF/classes.
d. For WebLogic 9.2: i. Copy the following files from <HSS_WL_HOME> to


commons-pool.jar commons-dbcp.jar
ii. Copy commons-logging.jar from

<HSS_HOME>/AppServer/InstallableApps/WebLogic/8.1 to <HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF/lib.
iii. Rename the web.xml.weblogic.92 file in the

<HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF directory to web.xml.
iv. Copy mimemappings.properties from <HSS_WL_HOME> to the config folder in the WebLogic domain location.
7 Deploy the new Web application modules to the SharedServices server:

a. From the WebLogic Administration Console, start the SharedServices server. b. From the WebLogic Administration Console, select Deployment > Web application Modules and deploy/install a new web application module. c. Select the path to the interop folder (Windows and UNIX):
d. In the subsequent installation screens, select the following options:

For 9.2 only: Install this deployment as an application. The target server is SharedServices. For 9.2 only: Retain the deployment name as interop. Select the option to make the deployment accessible from a specific location, and specify the full path to the interop folder.
e. Finish and activate the changes.
8 Update the classpath:

For the SharedServices server, in Advanced options, prepend the following paths to the server classpath, separated by semi-colons (Windows and UNIX):

<HSS_WL_HOME>/ <HSS_WL_HOME>/HubProductBean.jar <HYPERION_HOME>/common/JDBC/DataDirect/3.6/lib/hyjdbc.jar
where <HSS_WL_HOME> is:

<HSS_HOME>/AppServer/InstalledApps/WebLogic/8.1 (for WebLogic 8.1) <HSS_HOME>/AppServer/InstalledApps/other (for WebLogic 9.2)
9 Save your changes.
146
10 Modify configuration files. See Modifying Configuration Files on page 147. 11 Copy the following files to the specified location (Windows and UNIX):
a. Copy the HubProductBean.jar file from:
<HSS_WL_HOME>/
to:
b. Copy the CSS.xml file from:

<HSS_WL_HOME>/ to: <HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF/classes
c. Copy ALL *.properties files from:

<HSS_WL_HOME>/ to: <HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF/classes
d. Copy the hyjdbc.jar file from:

<HYPERION_HOME>/common/JDBC/DataDirect/3.6/lib to: <HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF/lib
12 Add the following tag to the <DOMAIN_LOCATION>/<DOMAIN_NAME>/config/config.xml file

in the Security-Configuration section:
<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-authcredentials>
13 Start the SharedServices server. 14 For WebLogic 9.2 only: Select Deployments and then the interop web application and click Start ->
servicing all requests. Once the status of the application changes to "active", the application is available.
15 Launch http://localhost:58080/interop.

This section details the files to modify. The values listed for driver classes, adapter classes, and URLs should be used to replace the values provided in the section Files To Modify on page 148.
Driver Classes

SQL Server: hyperion.jdbc.sqlserver.SQLServerDriver Oracle: hyperion.jdbc.oracle.OracleDriver DB2: hyperion.jdbc.db2.DB2Driver
147
Adapter Classes

SQL Server: org.apache.slide.store.impl.rdbms.SQLServerRDBMSAdapter Oracle: org.apache.slide.store.impl.rdbms.OracleRDBMSAdapter DB2: org.apache.slide.store.impl.rdbms.DB2RDBMSAdapter
URLs
For SQL Server:

For example,
jdbc:hyperion:sqlserver://user.hdc.net:1433;DatabaseName=hyperion
For Oracle:
For example,
For DB2:
For example:
jdbc:hyperion:db2://user.hdc.net:50000;DatabaseName=HYPERION; MaxPooledStatements=40;DynamicSections=3000
Files To Modify

Domain.xml slide.properties CSS.xml scheduler.properties WorkflowEngine.properties
These files are located in the <HSS_WL_HOME> directory. See Location References on page 142.
Domain.xml
<parameter name="driver">JDBC_DRIVER</parameter> <parameter name="adapter">JDBC_ADAPTER</parameter> <parameter name="url">JDBC_URL</parameter> <parameter name="user">DB_USERNAME</parameter>
148
<parameter name="password">DB_PASSWORD</parameter>

<parameter name="driver">hyperion.jdbc.db2.DB2Driver</parameter> <parameter name="adapter">org.apache.slide.store.impl.rdbms. DB2RDBMSAdapter</parameter> <parameter name="url">jdbc:hyperion:db2://user.hdc.net:50000; DatabaseName=HYPERION;MaxPooledStatements=40;DynamicSections=3000 </ parameter> <parameter name="user">db2admin</parameter> <parameter name="password">MqEM/uFmOZucduv9jcWaAg==</parameter>
Change the value for css_config to a valid path for the CSS.xml file. For example, if you are deploying to WebLogic, change the following value for css_config:
<parameter name="css_config">file:///F:/cc/cms/server/deployments/ Tomcat/Base/CSS.xml</parameter>
to this value:
For WebLogic 8.1.x, <parameter name="css_config">file:///C:/Hyperion

/SharedServices/9.2/AppServer/InstalledApps/WebLogic/8.1/CSS.xml </ parameter> (Windows) or <parameter name="css_config">file:///$HOME/ SharedServices/9.2/AppServer/InstalledApps/WebLogic/8.1/CSS.xml </ parameter> (UNIX)
For WebLogic 9.2, <parameter name="css_config">file:///C:/Hyperion

/SharedServices/9.2/AppServer/InstalledApps/other/CSS.xml</ parameter> (Windows) or <parameter name="css_config">file:///$HOME/ SharedServices/9.2/AppServer/InstalledApps/other/CSS.xml </parameter> (UNIX)
slide.properties
Change the value for org.apache.slide.domain to a valid path for the Domain.xml file. For example, if you are deploying to WebLogic, change the following value for org.apache.slide.domain:
org.apache.slide.domain=F:/cc/cms/server/AppServer/InstalledApps/ Tomcat/Base/Domain.xml
to this value:
For WebLogic 8.1.x, org.apache.slide.domain= C:/Hyperion/SharedServices /9.2/AppServer/InstalledApps/WebLogic/8.1/Domain.xml (Windows) or

org.apache.slide.domain= $HOME/SharedServices/9.2/AppServer/ InstalledApps/WebLogic/8.1/Domain.xml (UNIX)
For WebLogic 9.2, org.apache.slide.domain= C:/Hyperion/SharedServices /9.2/AppServer/InstalledApps/other/Domain.xml (Windows) or

org.apache.slide.domain= $HOME/SharedServices/9.2/AppServer/ InstalledApps/other/Domain.xml (UNIX)
149
CSS.xml
Ensure the hostname is used instead of localhost. The hostname is the name of the computer running OpenLDAP, not the computer running the Web server (if you have a Web server). Also ensure the correct port is being used for the OpenLDAP database. For example, change the following values:
to these values:
scheduler.properties
workflowEngine.jdbc.product=db2 workflowEngine.jdbc.driver=hyperion.jdbc.db2.DB2Driver workflowEngine.jdbc.url=jdbc:hyperion:db2://raghavr.hdc.net:50000; DatabaseName=JOYCE;MaxPooledStatements=40;DynamicSections=1000 workflowEngine.jdbc.user=db2admin <database user name> workflowEngine.jdbc.password=MqEM/uFmOZucduv9jcWaAg== <database password>
150

151
152
APPENDIX
C
In This Chapter
Manual Deployment to Oracle 10g Application Server
This appendix provides information about manually deploying Shared Services to Oracle 10.1.3.1.0 application server.
Location References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Basic Deployment Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Detailed Deployment Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Modifying Files After Manual Application Server Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
153
Location References

<HSS_HOME> identifies the directory in which you installed Shared Services. <HYPERION_HOME> identifies the directory for Hyperion products. <ORACLE_HOME> identifies the installation location of Oracle 10g application server. For detailed manual deployment instructions, see Detailed Deployment Instructions on page 156.
Note: Unless noted specifically in this chapter, forward slashes in directory paths apply to both Windows and UNIX.
Prerequisites
Install Oracle application server and ensure it is running (see the application server documentation). Install Shared Services to the same computer as the application server (see Chapter 4, Installing and Upgrading Shared Services). Shared Services cannot be installed to directories with names containing spaces; for example, C:\Program Files (Windows) or $HOME/Program Files (UNIX).
After installation, run Hyperion Configuration Utility to configure Shared Services. Configure the database, and then on the application server selection panel, select Tomcat as the application server for deployment and select the manual deployment option. (There is no option for Oracle application server.) Then follow the steps in this chapter to complete the manual deployment. The files copied by Hyperion Configuration Utility for Tomcat are not needed for the Oracle deployment.

This section provides high-level instructions for manually deploying to Oracle 10.1.3.1.0 application server. See Location References on page 154 for the list of location references used in this section to refer to the directories on your system.

See Modifying Files After Manual Application Server Configuration on page 158.
Deploy the Web Application

Deploy the Shared Services WAR file, interop.war. The interop.war file is located in the <HSS_HOME>/AppServer/InstallableApps/common directory.
154
Set the Classpaths

Add these libraries to the list of Library Paths: Windows:
<HSS_HOME>\AppServer\InstallableApps\other; <HSS_HOME>\AppServer\InstallableApps\common; <HSS_HOME>\AppServer\InstallableApps\other\commons-collections-3.1.jar; <HSS_HOME>\AppServer\InstallableApps\other\commons-dbcp.jar; <HSS_HOME>\AppServer\InstallableApps\other\commons-pool.jar; <HSS_HOME>\AppServer\InstallableApps\other\HubProductBean.jar; <HYPERION_HOME>\common\JDBC\DataDirect\3.6\lib\hyjdbc.jar; <HYPERION_HOME>\common\loggers\Log4j\1.2.8\lib\log4j-1.2.8.jar; <HYPERION_HOME>\common\SAP\lib;
UNIX:
<HSS_HOME>/AppServer/InstallableApps/other; <HSS_HOME>/AppServer/InstallableApps/common; <HSS_HOME>/AppServer/other/commons-collections-3.1.jar; <HSS_HOME>/AppServer/InstallableApps/other/commons-dbcp.jar; <HSS_HOME>/AppServer/InstallableApps/other/commons-pool.jar; <HSS_HOME>/AppServer/InstallableApps/other/HubProductBean.jar; <HYPERION_HOME>/common/JDBC/DataDirect/3.6/lib/hyjdbc.jar; <HYPERION_HOME>/common/loggers/Log4j/1.2.8/lib/log4j-1.2.8.jar; <HYPERION_HOME>/common/SAP/lib;
Add the following files to the path: Windows:

<HYPERION_HOME>\common\SAP\bin; <HYPERION_HOME>\common\CSS\9.2.1.0\bin;
UNIX:
<HYPERION_HOME>/common/SAP/bin; <HYPERION_HOME>/common/CSS/9.2.1.0/bin;
Ensure that you keep the bsf.jar and rhino.jar files in the classpath. The jar files are available in the following location:
<ORACLE_HOME>/j2ee/home/applications/<ApplicationName>/interop/ WEBINF/lib
Change the Oracle HTTP Server Listen Ports

You must change the Oracle HTTP server listen port for Shared Services. Instructions for changing the Oracle HTTP server listen port are documented at the following location:
155
http://downloadwest.oracle.com/docs/cd/B14099_19/core.1012/b13995/ports.htm#CIHJEEJH

This section provides detailed instructions for manually deploying to Oracle 10.1.3.1.0 application server. See Location References on page 154 for the list of location references used in this section to refer to the directories on your system. Before you begin deploying, review Prerequisites on page 154.
To configure Oracle application server 10.1.3.1.0 for Shared Services:

1 Modify configuration files. See Modifying Files After Manual Application Server Configuration on
page 158.
2 Start Oracle application server by opening a Web browser, setting the URL to
http://localhost:8888 or http://<servername>:<portname>, and specifying the
username and password you created during installation of Oracle.
3 Log on to the Oracle 10G Application Server Console. 4 Deploy the Web application:
a. Under Groups, click the OC4J instance; for example, Home, where you want to deploy . b. Click Applications and then click Deploy. c. On the Select Archive page, click Browse and select
<HSS_HOME>\AppServer\InstallableApps\common\interop.war (Windows)
or
<HSS_HOME>/AppServer/InstallableApps/common/interop.war (UNIX)
d. Click Next. e. On the Application Attribute page, specify an application name; for example, SharedServices9 and change Context Root to /interop.
Caution! Once the context root is set to /interop, do not modify.
f.
Click Next.
g. Set the classpaths and path: i. On the Deployment Settings page under Deployment Tasks, click the Go to Task link next to the Configure Class Loading task.
ii. Under Configure Web Module Class Loaders, enter the following values (separated by semicolons) for Classpath Value:
<HSS_HOME>\AppServer\InstallableApps\other; <HSS_HOME>\AppServer\InstallableApps\common;
156
<HSS_HOME>\AppServer\InstallableApps\other\commons-collections3.1.jar; <HSS_HOME>\AppServer\InstallableApps\other\commons-dbcp.jar; <HSS_HOME>\AppServer\InstallableApps\other\commons-pool.jar; <HSS_HOME>\AppServer\InstallableApps\other\HubProductBean.jar; <HYPERION_HOME>\common\JDBC\DataDirect\3.6\lib\hyjdbc.jar; <HYPERION_HOME>\common\loggers\Log4j\1.2.8\lib\log4j-1.2.8.jar; <HYPERION_HOME>\common\SAP\lib;
UNIX:
<HSS_HOME>/AppServer/InstallableApps/other; <HSS_HOME>/AppServer/InstallableApps/common; <HSS_HOME>/AppServer/other/commons-collections-3.1.jar; <HSS_HOME>/AppServer/InstallableApps/other/commons-dbcp.jar; <HSS_HOME>/AppServer/InstallableApps/other/commons-pool.jar; <HSS_HOME>/AppServer/InstallableApps/other/HubProductBean.jar; <HYPERION_HOME>/common/JDBC/DataDirect/3.6/lib/hyjdbc.jar; <HYPERION_HOME>/common/loggers/Log4j/1.2.8/lib/log4j-1.2.8.jar; <HYPERION_HOME>/common/SAP/lib; Note: Separate each value with a semicolon.
iii. Add the following files to the path: Windows:

<HYPERION_HOME>\common\SAP\bin; <HYPERION_HOME>\common\CSS\9.2.1.0\bin;
UNIX:
<HYPERION_HOME>/common/SAP/bin; <HYPERION_HOME>/common/CSS/9.2.1.0/bin;
Ensure that you keep the bsf.jar and rhino.jar files in the classpath. The jar files are available in the following location:
<ORACLE_HOME>/j2ee/home/applications/<ApplicationName>/interop/ WEBINF/lib
iv. Click OK. h. On the Deployment Settings page, click Deploy. The Processing: Deploy page displays progress messages for the application being deployed. i. Click Return after you see the following confirmation message: Application "SharedServices9" successfully deployed.
157
5 Change the Oracle HTTP server listen port for Shared Services. Instructions for changing the Oracle HTTP
server listen port are documented at the following location:
http://download-west.oracle.com/docs/cd/B14099_19/core.1012/ b13995/ports.htm#CIHJEEJH
Modifying Files After Manual Application Server Configuration

The section details the files that must be modified after a manual application server configuration. The values listed for driver classes, adapter classes, and URLs should be used to replace the values provided in the section Files To Modify on page 159.
Driver Classes

MySQL: org.gjt.mm.mysql.Driver SQL Server: hyperion.jdbc.sqlserver.SQLServerDriver Oracle: hyperion.jdbc.oracle.OracleDriver DB2: hyperion.jdbc.db2.DB2Driver
Adapter Classes

MySQL: org.apache.slide.store.impl.rdbms.MySqlRDBMSAdapter SQL Server: org.apache.slide.store.impl.rdbms.SQLServerRDBMSAdapter Oracle: org.apache.slide.store.impl.rdbms.OracleRDBMSAdapter DB2: org.apache.slide.store.impl.rdbms.DB2RDBMSAdapter
URLs
For MySQL:
jdbc:mysql://hostname:3306/hub?useUnicode=true&characterEncoding =UTF-8
For example,
jdbc:mysql://raghavr.hdc.net:3306/hub?useUnicode=true& characterEncoding=UTF-8
For SQL Server:

For example,
jdbc:hyperion:sqlserver://udayk.hdc.net:1433;DatabaseName=raghav
For Oracle:
For example,
158
For DB2:
For example:
jdbc:hyperion:db2://raghavr.hdc.net:50000;DatabaseName=JOYCE; MaxPooledStatements=40;DynamicSections=1000
Files To Modify

Domain.xml Slide.properties CSS.xml WorkflowEngine.properties Scheduler.properties
These file are located in:

Domain.xml
<parameter name="driver">JDBC_DRIVER</parameter> <parameter name="adapter">JDBC_ADAPTER</parameter> <parameter name="url">JDBC_URL</parameter> <parameter name="user">DB_USERNAME</parameter> <parameter name="password">DB_PASSWORD</parameter>

<parameter name="driver">hyperion.jdbc.db2.DB2Driver</parameter> <parameter name="adapter">org.apache.slide.store.impl.rdbms. DB2RDBMSAdapter</parameter> <parameter name="url">jdbc:hyperion:db2://raghavr.hdc.net:50000; DatabaseName=JOYCE;MaxPooledStatements=40;DynamicSections=1000 </parameter> <parameter name="user">db2admin</parameter> <parameter name="password">MqEM/uFmOZucduv9jcWaAg==</parameter>
Change the value for css_config to a valid path for the CSS.xml file. For example, change the following value:
<parameter name="css_config">file:///F:/cc/cms/server/deployments/ Tomcat/Base/CSS.xml</parameter>
to the following value:
159
<parameter name="css_config">file:///<HSS_HOME>/AppServer/InstallableApps/ common/CSS.xml</parameter>
Slide.properties
Change the following value:
org.apache.slide.domain=F:/cc/cms/server/deployments/Tomcat/Base/ Domain.xml
to the following value:

org.apache.slide.domain=<HSS_HOME>/AppServer/InstallableApps/common/ Domain.xml
CSS.xml
Ensure the hostname is used instead of localhost, and ensure the correct port is being used for the OpenLDAP database. For example, change the following values:
to the following values:

Scheduler.properties
160
workflowEngine.jdbc.product=db2 workflowEngine.jdbc.driver=hyperion.jdbc.db2.DB2Driver workflowEngine.jdbc.url=jdbc:hyperion:db2://raghavr.hdc.net:50000; DatabaseName=JOYCE;MaxPooledStatements=40;DynamicSections=1000 workflowEngine.jdbc.user=db2admin <database user name> workflowEngine.jdbc.password=MqEM/uFmOZucduv9jcWaAg== <database password>

161
162
APPENDIX
Setting Up Shared Services Using Clustering
The procedures in this appendix help you to set up Shared Services in a cluster if you are using a hardware load balancer, which supports session persistence, or if you are setting up a cluster using a software load balancer (Proxy Plug-in). This appendix also provides information about replicating the OpenLDAP environment.
In This Appendix
About Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 About Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Using a Hardware Load Balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Using a Software Load Balancer (Proxy Plug-In) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Replicating the OpenLDAP Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
163
About Clustering
An application server cluster is a set of application servers running one application. The application server processes can run on one computer or on multiple computers. From a client view, a cluster appears to be one server instance. Clustered application servers behave similarly to single servers, except they provide load balancing and failover. All server instances in a cluster must reside in the same cell (defined in the following table) of an application server domain.
Note: Session failure is not supported with application server clusters.
Clustering provides these benefits:
Client processing requests are balanced, enabling incoming work requests to be distributed according to a configured WLM selection policy Failover capability provided by redirecting client requests to a running server when one or more servers are unavailable This improves the availability of applications and administrative services.
Systems can be scaled to serve a higher client load than provided by the basic configuration With clusters and cluster members, additional instances of servers can easily be added to the configuration.
Servers can be transparently maintained and upgraded while applications remain available for users Centralized administration of application servers and other objects
The following table defines key clustering terminology.

Table 1
Clustering Terminology Definition An application server process running in its own Java Virtual Machine (JVM) A logical group of servers located on one physical computer Multiple nodes can exist on one computer, but for this document, assume only one node exists for each physical computer.
Term Managed server Node
Node agent
An administrative process that manages the servers running on a node A node agent resides on one node.
Cell
A logical group of nodes belonging to one administrative domain A cell is a configuration concept, a way for administrators to logically associate nodes with one another. Administrators define the nodes that make up a cell according to whatever criteria make sense in their organizational environments.
164
Table 1
Clustering Terminology (Continued) Also called network deployment manager, it manages the multiple nodes in a distributed topology Technically, an application server running an instance of the administration console can manage the application servers configured in one cell. It does this by interacting with the node agent running on each physical computer in the cell.
Cell manager
Load balancing
The distribution of tasks across the application servers of a cluster
Server clusters come in two main varieties: vertical and horizontal. These are sometimes referred to as vertical scalability and horizontal scalability. Vertical clustering refers to the practice of defining multiple clones of an application server on one physical computer. In some cases one application server, which is implemented by one JVM process, cannot fully utilize the CPU power of a large computer and drive CPU load up to 100%. Vertical clusters provide a straightforward mechanism to create multiple JVM processes that can fully utilize the processing power available as well as providing process level failover. Horizontal clustering refers to the more traditional practice of defining clones of an application server on multiple physical computers, thereby enabling one application to span several computers while presenting one system image. Horizontal cloning can provide increased throughput and failover.
Note: Never run clustering on multiple computers unless their clocks are synchronized using some form of timesynchronization service (daemon) running very regularly (the clocks must be within a second of each other). Never start a non-clustered instance against the same set of tables that another instance is running against. It causes serious data corruption and erratic behavior.
About Load Balancing

You can set up Shared Services in a cluster if you are using a hardware load balancer, which supports session persistence, or if you are setting up a cluster using a software load balancer (Proxy Plug-in).
About Load Balancing
165
The following figure depicts a sample cluster deployment of Shared Services:
Using a Hardware Load Balancer

To set up a cluster using a hardware load balancer:
1 Install and configure Shared Services on each node (host) as instructed in Chapter 4, Installing and
Upgrading Shared Services and Chapter 5, Configuring and Setting Up Shared Services.
These instructions are not specific to clustering, but they explain how to install Shared Services.
2 When configuring the second, third, and fourth (and so on) nodes, perform these configurations:

Choose to reuse the data while configuring the relational storage for Shared Services. Modify the CSS.xml file to update the following element:
<hub location="http://HOSTNAME:PORT"> <dirPort>LDAP_PORT</dirPort> </hub>
The value for hub location is the primary (first node) Shared Services host name and port number. The value for dirPort is the port number of the OpenLDAP database on the primary Shared Services computer.
In the Domain.xml file, set the global cache to off. To do so, set the value of slidecache from on to off. To use the OpenLDAP servers on these nodes as failovers, follow the procedure in Replicating the OpenLDAP Environment on page 183.
3 Add the host name (IP address) of each of the nodes into the load balancer host list.
166
Using a Software Load Balancer (Proxy Plug-In)

The procedures in this section describe how to set up Shared Services in a cluster for these application servers:

WebSphere Clustering on page 167 WebLogic Clustering on page 175
WebSphere Clustering
This section includes these procedures for WebSphere clustering:

Creating the Deployment Manager Cell on page 167 Setting Up the Shared Services Clustering Environment on page 168 Installing Shared Services To A Cluster on page 170 Adding Support for Additional Ports to the Default Host on page 171 Setting the Class Path on page 171 Deploying One Application on Multiple Servers on page 173 Selecting Server Settings on page 173 HTTP Web Plug-in Settings on page 174
Note: The procedures in this section use horizontal clustering on two physical computers.
Creating the Deployment Manager Cell

To create the Deployment Manager cell on WebSphere:
1 On machine1, start the WebSphere Network Deployment Manager process:
a. Open a command prompt. b. Navigate to the WEBSPHERE\DeploymentManager\bin directory (where WEBSPHERE is the installation directory of the WebSphere server). c. Run startManager.bat.
2 Add two WebSphere nodes to the cell for the Deployment Manager:
a. On machine1, navigate to the WEBSPHERE\AppServer\bin directory. b. Type the following command:
addNode.bat <machineName>
For example: addNode.bat machine1 where <machineName> is the name of the computer on which the Deployment Manager is running.
Note: You cannot run the addNode command on two nodes simultaneously.
167
When the command is completed, the following confirmation message is displayed:

Node <machineName> has been successfully federated.
c. On machine2, run the same command as follows:

WEBSPHERE\AppServer\bin>addNode.bat <machine1Name>
For example: WEBSPHERE\AppServer\bin>addNode.bat machine1 When you complete this procedure, you have a deployment manager, a node agent running on machine1, and a node agent running on machine2. To verify the installation to this point, review the following logs:
WEBSPHERE\AppServer\logs\nodeagent\SystemOut.log (on all computers) WEBSPHERE\DeploymentManager\logs\dmgr\SystemOut.log (on machine1)
Setting Up the Shared Services Clustering Environment

To set up a cluster for Shared Services on WebSphere:
1 Install Shared Services as described in Chapter 4, Installing and Upgrading Shared Services. Use one of
the following deployment options:
Option 1: Install Shared Services on two computers with identical directory structures. Some jar files and configuration files are required before the server startup and runtime. For example:
c:\websphere on machine1 c:\websphere on machine2
With this option, there are two sets of configuration files available on two computers (Domain.xml, CSS.xml, WorkflowEngine.properties, and Scheduler.properties). If the configuration settings are changed on one computer, copy those files to the other computer manually. To overcome this problem, use option 2.
Option 2: Install Shared Services on one computer (for example, c:\websphere on machine1) and share the folder to machine2 with all permissions. Now map this folder on two computers (machine1 and machine2) designating J: for c:\websphere and i: for HYPERION_HOME. With this option, there is only one set of configuration files shared by the computers, so whenever the configuration settings are changed, they are automatically available for the computers.
Proceed to the next step and complete the procedure.
2 In the Domain.xml file, set the global cache to off. To do so, set the value of slidecache from on to
off.
3 Create a cluster for Shared Services using WebSphere:

a. Start WebSphere Network Deployment Manager using the startManager.bat command; for example, WEBSPHERE\DeploymentManager\bin\startManager.bat.
168
b. Start node agents on both computers using the startNode.bat command; for example, WEBSPHERE\AppServer\bin>addNode.bat. c. Open the Network Deployment Administrative Console. d. In the left frame, select Servers > Clusters. e. In the right frame, click New. f. Under Step 1: Enter Cluster Name: i. In Cluster Name, type a name for the cluster; for example, HubCluster.
ii. Deselect Prefer local enabled. iii. Select Create Replication Domain for this cluster. iv. Click Next. g. Under Step 2: Create New Clustered Servers: i. In Name, type a name for the cluster member; for example, HubClone1.
ii. In Select Node, select the node where the clustered member is created; for example, machine1. iii. In Weight, type 2. iv. Select the following options:

Generate Unique HTTP Ports Create Replication Entry in this Server Default application server template
v. Click Apply. h. On this page (Step 2: Create New Clustered Servers): i. In Name, type a name for the cluster member on the second computer; for example, HubClone2.
ii. In Select Node, select the node where the clustered member is created; for example, machine2. iii. In Weight, type 2. iv. Select the following options:

v. Click Apply. i. On this page (Step 2: Create New Clustered Servers): i. In Name, type a name for the cluster member on the second computer; for example,
HubClone3.
ii. In Select Node, select the node where the clustered member is created; for example, machine2. iii. In Weight, type 4.
169
iv. Select the following options:

v. Click Apply. WebSphere displays a list of cloned servers at the bottom of the page. j. Click Next.
k. Under Step 3: Summary, review the list of cloned servers and attributes:
If the summary is correct, click Finish and save. The cluster (HubCluster) is listed in the Server Cluster list. If the summary is incorrect, click Previous and make corrections.
Installing Shared Services To A Cluster

Use this procedure to install Shared Services to a WebSphere cluster.
To install Shared Services to the newly created WebSphere server cluster (HubCluster):
1 In the left frame, select Applications > Install New Application. 2 In the right frame, select the Local path option and click Browse. 3 Navigate to the WebSphere interop.war file and select it. 4 In Context Root, type interop. 5 Click Next. 6 Under Preparing for the application installation, accept the defaults and click Next. 7 Under Step 1: Provide options to perform the installation, accept the defaults and click Next. 8 Under Step 2: Map virtual hosts for web modules, in Virtual Host, select default_host and click Next. 9 Under Step 3: Map modules to application servers, perform the following actions:
a. Select Module. b. Select the cluster (HubCluster) and click Apply. c. Click Next. d. Under Step 4: Summary, click Finish. During cluster setup, three clones are created with unique HTTP ports, meaning the HTTP listeners for the internal servers running in each application server have values. The algorithm used by the administration process to create ports uses a default value (9080 for HTTP transport) and increments up to the next free value for each server defined. So in this case, when the Application Server was installed, a standalone server called server1 was created. When the node was added to the deployment manager, server1 was also migrated to become a manager server. Server1 uses port 9080 for its HTTP transport. On
170
machine1, HubClone1 was created using port 9081. On machine2, Hubclone2 uses port 9081 and HubClone3 uses port 9082. When installing the interop.war file, the default_host virtual host was used for the Web modules. By default, the default_host
accepts HTTP requests only on port 9080, so you must configure this virtual host to also accept requests for ports 9081 and 9082.
Adding Support for Additional Ports to the Default Host

To add support for additional ports to the default host:
1 In the WebSphere Administrative Console, select Environment > Virtual Hosts. 2 In the right frame, click default_host. 3 On the default_host page under Additional Properties, click Host Aliases. 4 On the Host Aliases page, click New and perform the following actions:
a. In the Host Name text field, type * (* represents all host names). b. In the Port text field, type 9081. c. Click OK.
5 Repeat step 4 for ports 9082 and 58080. 6 Select the Synchronize changes with Nodes option and click Save to save the configuration.
Setting the Class Path

The class path settings you set depend on which deployment option you chose in step 1 on page 168. To review:

Option 1: Install Shared Services on two computers with identical directory structures. Option 2: Install Shared Services on one computer (for example, c:\websphere on machine1) and share the folder to machine2 with all permissions.
To set the classpath if you chose deployment option 1 (install Shared Services on two
computers with identical directory structures):
1 In the left frame, open the Environment folder, and click the Manage WebSphere Variables link. 2 Click New and create the following variables:
HYPERION_HOME: Set the value to the HYPERION_HOME directory you specified during installation. The default is c:\hyperion. HSS_HOME: Set the value to the <HSS_HOME> directory you specified during installation. c:\hyperion\SharedServices\9.2.
3 In the left frame, open the Environment folder and click the Shared Libraries link.
171
4 Click New, name the shared library Hub libs, and add the following libraries to the shared library:
Classpath:
%HSS_HOME%\AppServer\InstallableApps\other\Hub_9_0_0ProductBean.jar %HSS_HOME%\AppServer\InstallableApps\common %HSS_HOME%\AppServer\InstallableApps\common\hyddtek.jar %HSS_HOME%\server\conf %HSS_HOME%\AppServer\InstallableApps\WebSphere\5.1 %HSS_HOME%\AppServer\InstallableApps\WebSphere\5.1\commons-dbcp.jar %HSS_HOME%\AppServer\InstallableApps\WebSphere\5.1\commons-collections-3.1.jar %HSS_HOME%\AppServer\InstallableApps\WebSphere\5.1\commons-pool.jar
If you are using a MySQL database, add the following library:

%HYPERION_HOME%\common\JDBC\MySQL\4.0.12\mysql-connector-java-3.0.7-stable-bin.jar
Native Library Path:

%HYPERION_HOME%/common/CSS/3.0.0/bin
5 Click Apply. 6 Click OK.
To set the classpath if you chose deployment option 2 (install Shared Services on one computer
and share the folder to a second computer with all permissions):
1 In the left frame, open the Environment folder and click the Manage WebSphere Variables link. 2 Click New and create the following variables:
HYPERION_HOME: Set the value to the HYPERION_HOME directory you specified during installation; for example, i:\. HSS_HOME: Set the value to the HSS_HOME directory you specified during installation; for example, j:\hyperion\SharedServices\9.2.
3 In the left frame, open the Environment folder, and click the Shared Libraries link. 4 Set the class path scope to the cell level. To specify cell scope, clear Node and Server and click Apply. 5 Click New, name the shared library Hub libs, and add the following libraries to the shared library:
Classpath:
${HSS_HOME}/Hub9_0_0ProductBean.jar ${HSS_HOME}/other/hyddtek.jar ${HSS_HOME}/other ${HSS_HOME}/server/conf
Native Library Path:

${HYPERION_HOME}/common/CSS/2.7.0/bin
6 Click Apply. 7 Click OK.
172
Deploying One Application on Multiple Servers

You deploy one application on multiple servers after you set the classpath.
To deploy one application on multiple servers:

1 In the left frame, open the Applications folder and click the Enterprise Applications link. 2 Under Enterprise Applications, click the interop.war hyperlink. 3 In the Configuration tab under Additional Properties, click the Libraries hyperlink. 4 Under Library Ref, click Add. 5 From Library Name, select Hub libs. Click Apply. 6 Click OK. 7 In the left frame, click the Enterprise Applications link, and in the right frame, click interop.war. 8 Under Additional Properties, click Session Management. 9 Next to Overwrite Session Management, select Overwrite to overwrite the server setting. 10 Next to Session Tracking Mechanism, ensure Enable Cookies is selected. 11 Click Enable Cookies and change the cookie name to HUBSESSIONID. 12 Click Apply. Click OK. 13 Scroll down to Additional Properties and select Distributed Environment Settings. 14 Next to Distributed Sessions, select Memory to Memory Replication. Click Apply. 15 Click Memory to Memory Replication and in the Runtime mode, select Both client and server. 16 Click Apply. Click OK. 17 Scroll down to Additional Properties and select Custom Tuning Parameters. 18 Next to Tuning level, select Low (optimize for failover). 19 Click Apply. Click OK.
Selecting Server Settings

To select the server settings:
1 In the left frame, select Servers > Application Servers. 2 In the right frame, click HubClone1. 3 In the Configuration tab, scroll down to Additional Properties and click Web Container. 4 In the Web Container Configuration tab, scroll down to Additional Properties and click Session
Management.
5 Next to Session tracking mechanism, select Enable Cookies. Click Apply. 6 Click Enable Cookies and change the cookie name to HUBSESSIONID.
173
7 Click Apply. Click OK. 8 In the Session Management Configuration tab, scroll down to Additional Properties and click Distributed
Environment Settings.
9 Next to Distributed Sessions, select Memory to Memory Replication. Click Apply. 10 Click Memory to Memory Replication. 11 In Runtime mode, select Both client and server. 12 Click Apply. Click OK. 13 Scroll down to Additional Properties and click Custom Tuning Parameters. 14 Next to Tuning level, select Low (optimize for failover). 15 Click Apply. Click OK. 16 In the left frame, select Servers > Application Servers and in the right frame, click HubClone1. 17 In the Configuration tab, scroll down to Additional Properties and click Web Container. 18 Under Addition Properties, click HTTP transports. 19 Click the 9081 port Host * to set the custom properties. 20 Scroll down to Additional Properties and click Custom Properties. 21 Under Custom Properties, click New and add the following custom properties:
ConnectionIOTimeout = 30 ConnectionKeepAliveTimeout = 30
22 Repeat the steps for selecting server settings for all servers (hubClone2, hubClone3) in the cluster. 23 Save the configuration, ensuring Synchronize changes with Nodes is selected.
HTTP Web Plug-in Settings

To update the Web server plug-in settings:
1 In the left frame, select Environment > Update Web Server Plugin.
Performing this step automatically updates the plugin-cfg.xml file in $DeploymentManager_Home\config\cells folder.
2 Open the $DeploymentManager_Home\config\cells\plugin-cfg.xml file. 3 Change the value for AcceptAllContent from "false" to "true".
For example:
<Config ASDisableNagle="false" AcceptAllContent="true" IISDisableNagle="false" IgnoreDNSFailures="false" RefreshInterval="60" ResponseChunkSize="64">
4 Save the plugin-cfg.xml file changes. 5 You can manually copy the plugin-cfg.xml file to the WebSphere installation directory or you can
update the location of the plug-in file in the httpd.conf file. Select one of the following options:
174
Copy the plugin-cfg.xml from the \DeploymentManager\config\cells folder to <WAS_HOME>\config\cells\plugin-cfg.xml. Open the $IBMHttpServer_HOME\conf\httpd.conf file. The last line of this file contains a location for the plugin-cfg.xml file. Change the location of the plugincfg.xml file to <WAS_HOME>\config\cells\plugin-cfg.xml and save the httpd.conf file changes.
WebLogic Clustering
This section includes the following procedures for WebLogic clustering:

Creating Server Clusters on page 175 Setting Node Manager Properties on page 177 Setting Up WebLogic Deployment Descriptors on page 179 Removing the IP Address from Config.xml on page 180 Setting the Path on page 180 Starting the Managed Servers from the WebLogic Server Console on page 182 Deploying the Web Application Module on page 182 Serving WebLogic WebDav Methods In a Cluster Mode on page 183
Creating Server Clusters

To create the domain server instances and clusters:
1 Start the WebLogic Configuration Wizard by selecting Start > Programs > BEA WebLogic Platform 8.1 >
Configuration Wizard.
2 On the first screen, select Create a new WebLogic configuration and click Next. 3 Under Select a Configuration Template, select the Basic WebLogic Server Domain template and click
Next.
4 Under Choose Express or Custom Configuration, select Custom and click Next. 5 Under Configure the Administration Server:
a. In Name, type InteropAdminServer. b. From Listen Address, select All Local Addresses. c. In Listen Port, type 7001. d. Click Next.
6 Under Managed Servers, Clusters, and Machines Options, select Yes and click Next. 7 Under Configure Managed Servers, click Add and take the following actions:
a. In Name, type FirstServer. b. In Listen Address, select All Local Addresses.
175
c. In Listen Port, type 8001. d. Repeat steps 7a, 7b, and 7c to add three additional servers with the following entries:
Name SecondServer OtherMachineServer HTTpProxyServer Listen Address All Local Addresses All Local Addresses All Local Addresses Listen Port 8002 8003 8004
e. Click Next.
8 Under Configure Clusters, click Add and type the following text. Click Next:

In Name, type InteropCluster. In Multicast address, type 237.0.0.101. In Multicast port, type 8050.
9 Under Assign Servers to Clusters:

a. Select all three servers in the Source list. b. Click the arrow to place the servers in the Target list. c. Click Next.
10 Under Create HTTP Proxy Applications, select Create HTTP proxy for cluster InteropCluster and select
HttpProxyServer. Click Next.
11 Under Configure Machines, create the computer names with unique port numbers to which you are
mapping your managed server in the next step. Click Next.
For example:
Name Machine1 Machine2 Node manager listen address All Local Addresses All Local Addresses Node manager listen port 5555 4321
12 Under Assign Servers to Machines, map the managed server to the respective machines. Click Next. 13 Under Database (JDBC) Options, select No and click Next. 14 Under Messaging (JMS) Options, select No and click Next. 15 Under Application and Services Targeting Options, select No and click Next. 16 Under Configure Administrative Username and Password:
a. In Name, type weblogic. b. In Password and Confirm user password, type weblogic. c. Select No and click Next.
176
17 Under Configure Windows Options:

a. In Create Start Menu, select No. b. In Install Administrative Server as a Windows Service, select No and click Next.
18 Under Configure Server Start Mode and Java SDK:

a. In WebLogic Configuration Startup Mode, select Production Mode. b. In Java SDK Selection, select BEA Supplied SDKs and select JRockit SDK. c. Click Next.
19 Under Create WebLogic Configuration, do the following:

a. In Configuration Name, type InteropSetup. b. Click Create. The Configuration Wizard creates the domain in
<bea_HOME>\user_projects\domains\InteropSetup.
c. Click Done to exit the BEA WebLogic Configuration Wizard.
Setting Node Manager Properties

To set the node manager properties:
1 Run the startNodeManager.cmd file in the <bea_HOME>\weblogic81\server\bin
directory.
This creates a nodemanager.properties file in the <bea_HOME>\weblogic81\ common\nodemanager directory.
2 Open the nodemanager.properties file. 3 Set the following properties in the nodemanager.properties file:
ListenAddress = machinename ListenPort = 5555 ReverseDnsEnabled = true WeblogicHome = c:\bea\weblogic81 bea.home = c:\bea
4 Save and close the nodemanager.properties file. 5 Open the installNodeMgrSvc.cmd file in the <bea_HOME>\weblogic81\server\bin
directory.
Note: The WebLogic Server installation process installs Node Manager as an operating system service: a daemon on UNIX systems, or a Windows service on Windows systems.
177
6 Edit the installNodeMgrSvc.cmd file to specify the node manager's listen address and listen port
as follows:
set NODEMGR_HOST=machineName set NODEMGR_PORT=5555
7 Save and close the installNodeMgrSvc.cmd file. 8 Open the uninstallNodeMgrSvc.cmd file in the same directory and make the changes you made in
step 6.
This enables you to uninstall the service in the future.
9 Save and close the uninstallNodeMgrSvc.cmd file. 10 Run the installNodeMgrSvc.cmd file to reinstall Node Manager as a service, listening on the
updated address and port.
11 Go to the second computer and repeat the preceeding steps for the nodemanager.properties file,
the installNodeMgrSvc.cmd file, and the uninstallNodeMgrSvc.cmd file.
Note: When setting the properties in the nodemanager.properties file for the second computer, do not add the ListenAddress property. Also update the ListenPort, WeblogicHome, and bea.home properties as applicable for the second computer.
12 On the first computer, open a command prompt, specify the directory <bea_HOME>\
user_projects\domains\InteropSetup, and run the startWebLogic.cmd.
13 If you are asked for a username and password, type weblogic / weblogic. 14 On the first computer, open the nodemanager.hosts file in <bea_HOME>\weblogic81\
common\nodemanager and add the computer name or IP address of the second computer where the
OtherMachineServer is running.
For example:
# Host names from which the connection to the # node manager will be accepted. # You can edit this file manually. # E.g. - for allowing a machine named holly to connect, # uncomment one of the following lines based on whether # ReverseDnsEnabled property is turned on or off. #holly.bea.com #172.17.24.145 192.168.159.200 hyperiontest3
15 Save and close the nodemanager.hosts file on the first computer. 16 On the second computer, open the nodemanager.hosts file in <bea_HOME>\weblogic81\
common\nodemanager and add the computer name or IP address of the first computer.
17 Save and close the nodemanager.hosts file on the second computer.
178
Setting Up WebLogic Deployment Descriptors

To set up WebLogic deployment descriptors, you must add some additional tags to the weblogic.xml configuration file in <HSS_HOME>/AppServer/InstalledApps/ WebLogic/8.1/SharedServices9/interop/WEB-INF/. Add the following tags inside the <weblogic-web-app> tag:
<session-descriptor> <session-param> <param-name>PersistentStoreType</param-name> <param-value>replicated_if_clustered</param-value> </session-param> <session-param> <param-name>CookieName</param-name> <param-value>HUBSESSIONID</param-value> </session-param> </session-descriptor> <container-descriptor> <session-monitoring-enabled>true</session-monitoring-enabled> </container-descriptor>
Also, add these tags to the two weblogic.xml configuration files in the following BEA directories:
E:\bea\user_projects\domains\InteropSetup\apps\ BEA_Proxy_For_Cluster_InteropCluster_on_HttpProxyServer\WEB-INF E:\bea\weblogic81\common\nodemanager\beaweblogic81\HttpProxyServer\ stage\BEA_Proxy_For_Cluster_InteropCluster_on_HttpProxyServer\ BEA_Proxy_For_Cluster_InteropCluster_on_HttpProxyServer\WEB-INF
Add the following <init-param> tags (in bold text below) to the web.xml file under the following directories:
E:\bea\user_projects\domains\InteropSetup\apps\ BEA_Proxy_For_Cluster_InteropCluster_on_HttpProxyServer\WEB-INF E:\bea\weblogic81\common\nodemanager\beaweblogic81\HttpProxyServer\ stage\BEA_Proxy_For_Cluster_InteropCluster_on_HttpProxyServer\BEA_Pr oxy_For_Cluster_InteropCluster_on_HttpProxyServer\WEB-INF
<servlet> <servlet-name>HttpClusterServlet</servlet-name> <servlet-class>weblogic.servlet.proxy.HttpClusterServlet</servletclass> <init-param> <param-name>WebLogicCluster</param-name> <param-value>host1:port1|host2:port2|host3:port3</param-value> </init-param>
179
<init-param> <param-name>CookieName</param-name> <param-value>HUBSESSIONID</param-value> </init-param> </servlet>
Removing the IP Address from Config.xml

If you are using WebLogic 8.1 with SP4, you must remove the IP Address from the config.xml file or the request from one browser in the same session gets routed to another managed server.
To remove the IP Address from the config.xml file:

1 Open the config.xml file in the c:\bea\user_projects\domains\InteropSetup directory. 2 In the beginning of the config.xml file, find the following tag for clustering:
<Cluster FrontendHTTPPort="8804" FrontendHTTPSPort="7002" FrontendHost=" 192.168.159.152 " MulticastAddress="237.0.0.101" Name="337_Cluster"/>
3 Delete the value for FrontendHost; for example, FrontendHost="". 4 Save and close the config.xml file.
Setting the Path

The procedures in this section use the following variables to refer to directories on your system:
$BEA_DIR is the installation directory of the BEA WebLogic server; for example, in Unix, /opt/bea, and, in Windows, c:\bea. $HYPERION_HOME is the directory where HYPERION_HOME is set; for example, c:\hyperion (Windows) or /home/username/Hyperion (UNIX). $HSS_HOME is the directory in which you installed Shared Services; for example, c:\hyperion\SharedServices\9.2 (Windows) or /home/username/Hyperion/SharedServices/9.2 (UNIX).
To set the path:

1 Open a browser and type the following URL:
http://localhost:7001/console
2 In the login screen type weblogic for the Username and Password. 3 After you are logged on to the WebLogic Server Console, expand the Machines node in the left frame to
view the two computer names you created in the WebLogic Configuration Wizard.
4 Select the first computer listed under the Machines node.
180
5 In the right frame, select the Monitoring tab and view the Node Manager Status. Check that the State is
RUNNING.
6 Select the second computer listed under the Machines node, select the Monitoring tab and check that the
State is RUNNING for the second computer.
If the states are RUNNING, you can proceed to the next step.
7 In the left frame, click the Servers node to view the servers you created in the WebLogic Configuration
Wizard. Click FirstServer under the Servers node.
8 In the right frame, click the Remote Start tab and enter the following settings:
a. Set Java Home to c:\bea\jdk142_05. b. Set BEA Home to c:\bea. c. Copy the jar file CR228256_81sp4_v2.jar from C:\Hyperion\SharedServices\ 9.2\AppServer\InstallableApps\WebLogic\8.1 to C:\bea\weblogic81\ server\lib. d. Set Class Path as follows:
$BEA_DIR\weblogic81\server\lib\cr228256_81sp4_v2.jar; $BEA_DIRweblogic81\server\lib\weblogic.jar; $BEA_DIR\weblogic81\server\lib\ojdbc14.jar; $BEA_DIR\weblogic81\server\lib\webservices.jar; $BEA_DIR\jdk142_05\lib\tools.jar; $HSS_HOME\AppServer\InstallableApps\other\Hub9_0_0ProductBean.jar; $HSS_HOME\AppServer\InstallableApps\catalina.jar; $HSS_HOME\AppServer\InstallableApps\other\commons-dbcp.jar; $HSS_HOME\AppServer\InstallableApps\other\commons-collections.jar; $HSS_HOME\AppServer\InstallableApps\other\commons-pool.jar; $HSS_HOME\AppServer\InstallableApps\common\hyddtek.jar; $HSS_HOME\AppServer\InstallableApps\other\jdom-b9.jar; $HSS_HOME\AppServer\InstallableApps\common
e. Set Arguments as follows:

-server -Xms512m -Xmx512m -XX:NewSize=64m -XX:MaxNewSize=64m XX:MaxPermSize=128m -Xss128k -XX:-UseTLAB -XX:+UseConcMarkSweepGC XX:+DisableExplicitGC -Djava.awt.headless=true
f.
Set Security Policy File to c:\bea\weblogic81\server\lib\weblogic.policy.
9 Repeat steps 6, 7, 8 for the remaining managed servers (SecondServer and

OtherMachineServer).
While updating the classpath for OtherMachineServer, enter the applicable classpath for the second computer.
Note: Hyperion assumes the installation structure for WebLogic and Shared Services are identical for the computers where the Managed Servers for clustering were created.
181
10 In the left frame, select FirstServer, and in the right frame, select the KeyStores & SSL tab. 11 Scroll down and click Show Advanced Options. 12 Under Advanced Options, from Hostname Verification, select None. 13 Repeat steps 10, 11, and 12 for the remaining managed servers (SecondServer and
OtherMachineServer).
14 In the left frame, select the first computer listed under the Machines node and update the Listen
Address of HTTpProxyServer.
15 Select the Node Manager tab and add the Listen Address for each computer listed under the Machines
node.
Starting the Managed Servers from the WebLogic Server Console

To start the managed servers from WebLogic Server Console:
1 In the left frame, select the Interop Setup node. 2 In the right frame, click Start All Managed Servers. 3 On the WebLogic confirmation screen, click Yes.
After the servers are in Running mode, the Status column shows Task Completed for all servers.
Deploying the Web Application Module

Before you deploy the Web application module, perform the following steps:
In the Domain.xml file, set the global cache to off. To do so, set the value of slidecache from on to off. In the scheduler.properties file, uncomment the following line:
org.quartz.jobStore.isClustered=true
To deploy the Web application module:

1 In the left frame, expand the Deployments and Web Applications Module nodes. 2 In the right frame, click Deploy a new Web Application Module. 3 Next to the Location link, select the directory where you installed the interop.war file on your
computer or the expanded interop folder.
4 Click Target Module. 5 Under Clusters, select InteropCluster. 6 Select All servers in the cluster and click Continue. 7 Accept all defaults and click Deploy.
182
Serving WebLogic WebDav Methods In a Cluster Mode

In a cluster mode, WebLogic HTTPClusterServlet has an issue with serving WebDav methods. BEA provides a patch for this issue in WLS Service Pack 4.
To serve WebLogic WebDav methods in a cluster mode:

1 Find the CR228256_81sp4_v2.jar file located in the following Shared Services WebLogic directory:
%HSS_HOME%/AppServer/InstalledApps/Weblogic/8.1
2 Add the jar file to the classpath (WEBLOGIC_CLASSPATH variable in %BEA_HOME%/weblogic81/

common/bin/commEnv.cmd or .sh) before the weblogic.jar entry.
3 Remove the following classes from all weblogic.jar files on all computers where the managed servers
are installed:
This JAR file is located at %BEA_HOME%/weblogic81/server/lib.

GenericProxyServlet$ProxyConnection.class GenericProxyServlet$ProxyConnectionPool.class GenericProxyServlet.class HttpClusterServlet$1.class HttpClusterServlet$2.class HttpClusterServlet$RequestInfo.class HttpClusterServlet$Server.class HttpClusterServlet$ServerList.class HttpClusterServlet.class
Replicating the OpenLDAP Environment

Load balancing and failover is also necessary in the OpenLDAP environment. This section describes how to replicate the OpenLDAP environment for load balancing and failover. In the following procedure, $HSS_HOME is the directory in which you installed Shared Services; for example, c:\hyperion\SharedServices\9.2 (Windows) or /home/username/Hyperion/SharedServices/9.2 (UNIX).
To set up a replicated environment for OpenLDAP:

1 Install and configure Shared Services on machine1. 2 Install and configure Shared Services on machine2. 3 Stop the Shared Services LDAP Service on machine1. 4 Stop the Shared Services LDAP Service on machine2.
183
5 Update the slapd configuration files as follows:

a. On machine1, update the $HSS_HOME\OpenLdap\slapd.conf file (Master) with the following entries: i. Add a replica directive for each replica in slapd.conf:
replica uri=ldap://HOST_NAME_SLAVE:58089 binddn=cn=Replicator,dc=css,dc=hyperion,dc=com bindmethod=simple credentials=security Note: The second and third lines (the lines starting with binddn and bindmethod) must be preceeded with at least one white space charater to denote that the line is a continuation of the previous line. Also ensure the binddn value is not the same as the rootdn value.
ii. On machine1, configure the replication logs as follows:
Create the following directory for storing the replication related log files:
drive:\OpenLdap\logfiles
Add a replogfile directive in the slapd.conf file:

replogfile drive:\\OpenLdap\\logfiles\\slapd.replog
b. On machine2, update the <HSS_HOME>\OpenLdap\slapd.conf file (slave) with the following changes: i. Include an updatedn line as follows:
updatedn cn=Replicator,dc=css,dc=hyperion,dc=com Note: Ensure the value of the updatedn entry is the same as the binddn entry in the master slapd.conf file.
ii. Update the rootdn value to be the same as the updatedn (Replicator) value:
rootdn cn=Replicator,dc=css,dc=hyperion,dc-com
iii. Add the following entry for updateref:

updateref ldap://HOST_NAME_MASTER
For example: ldap://192.168.159.176
6 Copy the contents from the machine1 (Master) database directory to machine2 (Slave) database
directory. Copy all database files located in the database directory specified in the slapd.conf file.
For example, copy the data under $HSS_HOME/OpenLdap/var/OpenLdap-data.
7 Update the CSS.xml configuration file as follows:

a. On machine1, update the CSS.xml file with the following entry for the slave OpenLDAP (the CSS.xml file is located at $HSS_HOME\AppServer\InstalledApps\ <appServer>\<version>\CSS.xml):
<native name=Native Directory> <slaves> <slave>
184
<url>ldap://machine2:58089</url> <type>failover</type> </slave> </slaves> </provider>
8 Start the Shared Services LDAP Service on machine1 (Master). 9 Start the Shared Services LDAP Service on machine2 (Slave). 10 Start slurpd on machine1 as follows:
For Windows:
$HSS_HOME\openLdap\slurpd -f <masterslapdconfigfile>
For example: C:\Hyperion\SharedServices\9.2\OpenLdap\slurpd -f

slapd.conf
For UNIX:
./slurpd -f /var/Hyperion/SharedServices/9.2/openLDAP/usr/local/etc/ openldap/slapd.conf -t /var/Hyperion/SharedServices/9.2/openLDAP/usr/local/var/ openldap-slurp
from
/var/Hyperion/SharedServices/9.2/openLDAP/usr/local/libexec
where Shared Services is installed in /var/Hyperion.
For Solaris:
a. Make a copy of the startOpenLDAP.sh file in the openLDAP folder and rename it to startSlurpd.sh (or another name you choose). b. Open the renamed file and change the following codeline:
$OPENLDAP_HOME/usr/local/libexec/slapd -f $OPENLDAP_HOME/usr/local/etc/openldap /slapd.conf -h ldap://wolverine:58089 -d 1
to
$OPENLDAP_HOME/usr/local/libexec/slurpd -f $OPENLDAP_HOME/usr/local/etc/openlda p/slapd.conf -t /vol1/Hyperion/SharedServices/9.2/openLDAP/usr/local/var/openlda p-slurp -d 1
c. Save and close the file.
185
186
APPENDIX
E
In This Appendix
This appendix describes how to back up and recover Shared Services data and configuration files in the event of a failure.
Backing Up Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Recovering Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Running the Sync OpenLDAP Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
187
Backing Up Shared Services

Backing up Shared Services includes backing up Shared Services application server configuration files, the OpenLDAP database configuration file, and all OpenLDAP data files and log files. The Shared Services installation includes scripts that perform the backup process for you. Hyperion recommends backing up Shared Services data on a daily basis.
Note: There may be additional data files to back up for the Hyperion product you are using. For example, for Essbase you must back up an essbase.sec file in addition to the Shared Services files. See the Hyperion product documentation.
Shared Services stores data in two databases:
A relational database Shared Services supports several relational databases. The relational database stores the event, administrator, and metadata-services-related data. Supported database versions are listed in Chapter 3, Planning the Shared Services Installation. The procedures for backing up the relational database are specific to the type of database Shared Services is configured against. See the database vendor documentation for the procedure to back up relational database data.
An OpenLDAP database The OpenLDAP database is installed with Shared Services and is automatically configured by Shared Services. OpenLDAP stores the security-services-related data.
To ensure that Shared Services can recover from catastrophic failure, these data sources must be backed up simultaneously to ensure that the data in these sources is synchronized.
To create a hot backup of OpenLDAP:

Note: Shared Services can be running while OpenLDAP is backed up.
1 Ensure that the Shared Services database is in online backup mode. 2 Run the following command:
For Windows:
<HSS_HOME>\server\scripts\backup.bat backup_folder_name
where <HSS_HOME> is the location where Shared Services is installed and backup_folder_name is the path to the backup folder. For example:
c:\hyperion\SharedServices\9.2\server\scripts\ backup.bat c:\HSS_backup
188
For UNIX:
<HSS_HOME>/server/scripts/backup.sh backup_folder_name
/home/username/Hyperion/SharedServices/9.2/server/scripts/ backup.sh /home/username/HSS_backup
3 Optional: Copy the backup folder to a backup device such as a CD-ROM, alternate disk, or tape.
Files Backed Up
These files are backed up:
Directory Files Domain.xml slide.properties CSS.xml WorkflowEngine.properties Scheduler.properties manage_data.properties <HSS_HOME>\OpenLDAP <HSS_HOME>\OpenLDAP\var\openldap-data slapd.conf *.bdb files log.* files
<HSS_HOME>\AppServer\InstalledApps\appServer\version\
Recovering Shared Services

To recover Shared Services from a catastrophic failure, configuration files and data files must be restored, and the Sync OpenLDAP utility should be run. The Shared Services installation includes scripts that perform the recovery process for you. To recover Shared Services data, the relational database and the OpenLDAP database must be recovered. When recovering from backups, ensure the time stamp of the OpenLDAP database backup and the time stamp of the relational database backup match (or are close). The procedures for recovering the relational database are specific to the type of database Shared Services is configured against. See the database vendor documentation for the procedure to recover the data in the relational database.
Recovering Shared Services
189
To recover Shared Services:

1 On Windows, stop the OpenLDAP service (Hyperion SharedServices9 OpenLDAP). 2 To perform a normal (non-catastrophic) recovery, run the following command:
For Windows:
<HSS_HOME>\server\scripts\recover.bat backup_folder_name
c:\hyperion\SharedServices\9.2\server\scripts\ recover.bat c:\HSS_backup
For UNIX:
<HSS_HOME>/server/scripts/recover.sh backup_folder_name
/home/username/Hyperion/SharedServices/9.2/server/scripts/ recover.sh /home/username/HSS_backup
The recover script picks up the backed up configuration and data files from the backup directory and places them in the appropriate directory under <HSS_HOME>. For the list of restored files, see Files Backed Up on page 189.
3 To perform a catastrophic recovery, run the following command:
For Windows:
<HSS_HOME>\server\scripts\recover.bat backup_folder_name catRecovery
c:\hyperion\SharedServices\9.2\server\scripts\ recover.bat c:\HSS_backup catRecovery
For UNIX:
<HSS_HOME>/server/scripts/recover.sh backup_folder_name catRecovery
/home/username/Hyperion/SharedServices/9.2/server/scripts/ recover.sh /home/username/HSS_backup catRecovery
The recover script picks up the appropriate configuration and data files from the backup directory and places them in the appropriate directory under <HSS_HOME>.
Running the Sync OpenLDAP Utility

To ensure that the Shared Services relational database and the Shared Services OpenLDAP database are in sync, run the Sync OpenLDAP utility. See Sync OpenLDAP Utility on page 201.
190
APPENDIX
Sample Configuration XML Files
F
When you use the Shared Services External Authentication Provider Configuration Console to set up external authentication, the console writes your configuration information to the CSS.xml file packaged with Shared Services. The CSS.xml file is located on the computer hosting Shared Services, at:
<HSS_HOME>\AppServer\InstallableApps\common\CSS.xml
where <HSS_HOME> represents the directory where Shared Services was installed. Completion of the Shared Services configuration populates most of the XML file, but there are some additional elements you can configure. See Additional Configuration Elements on page 88.
In This Appendix
Basic XML Configuration Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Extended XML Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
191
Basic XML Configuration Example

This topic shows a sample XML configuration file containing the basic elements (XML tags) you can configure to enable external authentication for Shared Services and other Hyperion products.
<?xml version="1.0" encoding="UTF-8" ?> <css xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <spi> <provider> <ntlm name="ntlmServer"> <trusted>false</trusted> <domain>THIS_IS_DOMAIN_NAME</domain> </ntlm> <ldap name="ldapServer"> <trusted>true</trusted> <url>ldap://host:portNo/DIT</url> <userDN>cn=User Name</userDN> <password>userPassword</password> <user> <url>ou=People</url> </user> <group> <url>ou=Groups</url> </group> </ldap> <msad name="msadServer"> <trusted>false</trusted> <url>ldap://host:PortNo/DIT</url> <userDN>cn=UserName</userDN> <password>UserPassword</password> <user> <url>ou=people</url> </user> <group> <url>ou=Groups</url> </group> </msad> </provider> </spi> <searchOrder> <el>ntlmServer</el> <el>ldapServer</el> <el>msadServer</el> </searchOrder> <logger> <priority>FATAL</priority> </logger> </css>
192
Extended XML Configuration Example

This topic shows a sample XML configuration file containing basic and additional elements (XML tags) you can configure to enable external authentication for Shared Services and other Hyperion products.
<?xml version="1.0" encoding="UTF-8" ?> <css xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <spi> <provider> <ntlm name="ntlmServer"> <trusted>false</trusted> <domain>THIS_IS_DOMAIN_NAME</domain> <maxSize>300</maxSize> <remoteServer> <location>//localhost:58000/NTLMImpl</location> </remoteServer> </ntlm> <ldap name="ldapServer"> <trusted>true</trusted> <url>ldap://host:portNo/DIT</url> <userDN>cn=User Name</userDN> <password>userPassword</password> <authType>simple</authType>  <authProtocol>ssl</authProtocol> <maxSize>200</maxSize> <identityAttribute>dn</identityAttribute> <user> <url>ou=People</url> <loginAttribute>uid</loginAttribute> <fnAttribute>givenname</fnAttribute> <snAttribute>sn</snAttribute> <emailAttribute>mail</emailAttribute> <objectclass> <entry>person</entry> <entry>organizationalPerson</entry> <entry>inetOrgPerson</entry> </objectclass> </user> <group> <url>ou=Groups</url> <nameAttribute>cn</nameAttribute> <objectclass> <entry>groupofuniquenames?uniquemember</entry> <entry>groupOfNames?member</entry> </objectclass> </group> </ldap> <msad name="msadServer"> <trusted>false</trusted> <url>ldap://host:PortNo/DIT</url> <userDN>cn=UserName</userDN> <password>UserPassword</password> <authType>simple</authType>  <authProtocol>ssl</authProtocol>
Extended XML Configuration Example
193
<maxSize>200</maxSize> <identityAttribute>dn</identityAttribute> <user> <url>ou=people</url> <loginAttribute>uid</loginAttribute> <fnAttribute>givenname</fnAttribute> <snAttribute>sn</snAttribute> <emailAttribute>mail</emailAttribute> <objectclass> <entry>person</entry> <entry>organizationalPerson</entry> <entry>inetOrgPerson</entry> </objectclass> </user> <group> <url>ou=Groups</url> <nameAttribute>cn</nameAttribute> <objectclass> <entry>groupofuniquenames?uniquemember</entry> <entry>groupOfNames?member</entry> </objectclass> </group> </msad> </provider> </spi> <searchOrder> <el>ntlmServer</el> <el>ldapServer</el> <el>msadServer</el> </searchOrder> <token> <timeout>60</timeout> </token> <logger> <priority>FATAL</priority> </logger>  </css>
194
APPENDIX
G
In This Appendix
Troubleshooting the Shared Services Installation
Topics in this appendix include:
Shared Services Log Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Debugging Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Shared Services Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Setting Log Levels for the OpenLDAP Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Troubleshooting OpenLDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Utilities for Troubleshooting Shared Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Accessing the User Management Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Note: <HSS_HOME> is the directory in which you installed Shared Services; for example, c:\Hyperion\SharedServices\9.2. on Windows and /home/username/Hyperion/SharedServices/9.2 on UNIX.
195
Shared Services Log Configuration Files

Two main log configuration files enable you to configure the log level settings for Shared Services:

CSS.xml HSSLogger.properties
The location of these files varies depending on the application server you are using. For example, if you installed Shared Services 9.2.1 with Tomcat 5.0.28 as the application server, these files would be located in <HSS_HOME>\AppServer\InstalledApps\Tomcat\5.0.28.
Debugging Shared Services

You can adjust the level of log messages to DEBUG for the following Shared Services components:
For external authentication and single sign-on: i. Launch the Shared Services External Authentication Configuration Console.
ii. In the Additional Configuration section, locate Logging Level. iii. In Logging Level, select DEBUG. iv. Click Save. Changes are written to the CSS.xml file.
For Shared Services models, open the HSSlogger.properties file and set the value for log4j.logger.com.hyperion.eie to DEBUG. For example, log4j.logger.com.hyperion.eie=DEBUG. Save your changes. For the Shared Services User Management Console, open the HSSlogger.properties file and set the value for log4j.logger.com.hyperion.cas to DEBUG. For example, log4j.logger.com.hyperion.cas=DEBUG. Save your changes. For Shared Services taskflows, open the HSSlogger.properties file and set the values for the following to DEBUG:

log4j.logger.com.hyperion.workflow log4j.logger.com.hyperion.ces log4j.logger.com.hyperion.dsf
Save your changes. You must restart Shared Services after making changes to the log levels settings.
196
Shared Services Log Files

Log File Topic About Which Information Is Logged External authentication and single sign-on User management Metadata management and registration Taskflow Scheduling Scheduling Utility that synchronizes OpenLDAP and relational data sources External authentication client
Note: In previous releases, the HyperionCSS.log file.
SharedServices_Security.log SharedServices_Admin.log SharedServices_Metadata.log SharedServices_Taskflow.log SharedServices_Taskflow_CMDExecute.log SharedServices_Taskflow_Optimize.log SharedServices_SyncOpenLDAP.log SharedServices_Security_Client.log
Most of the preceding server logs are located in the Shared Services logs directory. For example:
For Tomcat, the logs are located at <HSS_HOME>\AppServer\InstalledApps\ Tomcat\5.0.28\SharedServices9\logs. For Weblogic, the logs are located at <HSS_HOME>\AppServer\InstalledApps\ WebLogic\<version>\SharedServices9\logs. For Websphere, the logs are located at <HSS_HOME>\AppServer\InstalledApps\ Websphere\5.x\SharedServices9\logs.
In addition to the preceding locations, the External Authentication client log (SharedServices_Security_Client.log) file is located in the Temp directory of the product using the external authentication client. The location of the Temp directory varies based on the application server and platform you are using.
Setting Log Levels for the OpenLDAP Database

The OpenLDAP database stores the security services-related data. Shared Services automatically installs OpenLDAP as a Windows service, configures it, and starts OpenLDAP after installation. But you can set various log levels for the OpenLDAP database, if necessary. Log level settings for OpenLDAP are a flag or parameter that is passed during OpenLDAP startup and operations are logged in the OpenLDAP server console. Log levels for OpenLDAP are not set in a configuration file, instead they are included as part of the startup command. The following table lists the various startup commands for OpenLDAP. For Windows, the
Setting Log Levels for the OpenLDAP Database
197
OpenLDAP Windows service is automatically configured with the -d flag. For UNIX, the startup script for OpenLDAP has the option. The setting of this flag is taken care of by the installer. Some examples: If you start OpenLDAP with the following command:
slapd -d 0
No details are logged in the OpenLDAP server console. Conversely, if you start OpenLDAP with the following command:
slapd -d -1
All details of every operation carried out are logged in the OpenLDAP server console. To selectively enable the log level for viewing access control list processing, start OpenLDAP using the following command:
slapd -d 128
The OpenLDAP server console displays access control data like which user has what kind of access on a particular resource.
Table 2
OpenLDAP Startup Commands Log Details Enable all debugging Description Provides the most logs. Logs include every transaction or query done with OpenLDAP. No logs are provided. Traces function calls in OpenLDAP Enables debugging of packet handling in OpenLDAP Provides a huge amount of trace with data searched in database Displays all data available in database with its internal process logs Displays all packets sent & received Displays all filter and search data available in OpenLDAP Displays configured data like Object class and its attributes, and so on Displays access control data like which user has what kind of access on a particular resource
OpenLDAP Startup Command slapd -d -1
slapd -d 0 slapd -d 1 slapd -d 2 slapd -d 4 slapd -d 8 slapd -d 16 slapd -d 32 slapd -d 64 slapd -d 128
No debugging Trace Debug packet handling Heavy trace debugging Connection management Print out packets sent and received Search filter processing Configuration processing Access control list processing
198
Table 2
OpenLDAP Startup Commands (Continued) Log Details Stats log connections/operations/results Description Displays add/modify/delete operations on a particular resource. (The -1 option displays this as well, but the 256 option provides fewer logs than the -1 option.) Displays connection number, operation number, and the DN values Displays index properties of each attribute in an object class Provides schema-level detail Displays database cache processing data like index parameters and so on. Provides database index details Displays replica processing operations (master/slave OpenLDAP configuration)
OpenLDAP Startup Command slapd -d 256
slapd -d 512 slapd -d 1024 slapd -d 2048 slapd -d 4096 slapd -d 8192 slapd -d 16384
Stats log entries sent Print communication with shell backends Print entry parsing debugging Database cache processing Database indexing Syncrepl consumer processing
Troubleshooting OpenLDAP
If you are having problems connecting to the Shared Services OpenLDAP database on a specific machine, try changing the host name to an IP address in these files: Windows
<HSS_HOME>\AppServer\InstalledApps\<AppServName>\<version>\CSS.xml
where <HSS_HOME> is the location where Shared Services is installed, <AppServName> is the name of the application server you deployed to, and <version> is the application server release number. For example:
c:\Hyperion\SharedServices\9.2\AppServer\InstalledApps\Tomcat\ 5.0.28\CSS.xml
In the CSS.xml file, find hostname and replace it with the IP address:
Troubleshooting OpenLDAP
199
UNIX
<HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/CSS.xml
where <HSS_HOME> is the location where Shared Services is installed, <AppServName> is the name of the application server you deployed to, and <version> is the application server release number. For example:
/home/username/Hyperion/SharedServices/9.2/AppServer/ InstalledApps/Tomcat/5.0.28/CSS.xml
In the CSS.xml file, find hostname and replace it with the IP address:
<HSS_HOME>/openLDAP/startOpenLDAP.sh
where <HSS_HOME> is the location where Shared Services is installed. For example:
/home/username/Hyperion/SharedServices/9.2/openLDAP/ startOpenLDAP.sh
In the startOpenLDAP.sh file, find hostname and replace it with the IP address:
$OPENLDAP_HOME/usr/local/libexec/slapd -f $OPENLDAP_HOME/usr/local/etc/openldap /slapd.conf -h ldap://hostname:58089
Utilities for Troubleshooting Shared Services

Various utilities can be used to help troubleshoot Shared Services. See the following list for descriptions of these utilities:
Viewing the CSS.xml File

You can verify external authentication providers, native providers, and the CSS.xml file in general using the following URL:
http://localhost:58080/interop/framework/getCSSConfigFile
200
Sync OpenLDAP Utility

The relational database and the OpenLDAP database may sometimes get out of sync. You recognize this if there is an inconsistency related to applications or projects. Shared Services provides a utility to help synchronize these differences.
To synchronize the relational and OpenLDAP databases:

1 Start the Shared Services External Authentication Configuration Console.
For instructions, see Launching the External Authentication Configuration Console on page 74.
2 Log on to the External Authentication Configuration Console. 3 Select Configuration > Sync OpenLDAP.
Shared Services synchronizes the relational and OpenLDAP databases.
Note: The Sync OpenLDAP utility does not synchronize provisioning details for users and groups on applications.
OpenLDAP Recovery
For details about using the recovery utilities, see Appendix E, Shared Services Backup and Recovery.
Validating Classpaths
Shared Services provides the following utility to validate classpaths:
http://localhost:58080/interop/jsp/config/tools/where_is.jsp Note: This is a prototype utility. This utility is not tested for portability across platforms, and so on.
Determining the System Properties in the Java Virtual Machine (JVM)

Shared Services provides the following utility to help determine the system properties in the JVM:
http://localhost:58080/interop/jsp/config/tools/java_system_props.jsp Note: This is a prototype utility. This utility is not tested for portability across platforms, and so on.
Utilities for Troubleshooting Shared Services
201
Accessing the User Management Console

As a best practice when accessing the User Management Console on the computer where Shared Services server is running, the URL to access the console should use an IP address or a fully qualified computer name that includes the domain name. For instructions to launch User Management Console, see Verifying Successful Startup on page 51. For complete information about using the User Management Console, see the Hyperion Shared Services User Management Guide.
202
Index
A
Active Directory Base DN, 76 host name, 76 port number, 76 referrals support, 94 Active Directory deployment scenario, 111, 114 to 116 address, of LDAP/MSAD provider, 76 AIX versions supported, 24 AIX platform JDK installation, 36 Anonymous bind, 76 Apache Tomcat application server software requirements, 23 to 24 version supported, 13 application servers Apache Tomcat, 23 to 24 BEA WebLogic, 23 to 24 clustering, 164 hardware requirements, 22 to 23 IBM WebSphere, 23 to 24 Oracle, 23 to 24 software requirements, 24 versions supported, 13 authentication repository, defined, 64 authentication, timeout setting, 87 Authorization Type, 79
default session timeout, 54 enabling HTTPS for version 8.1, 53 requirements, 26 software requirements, 23 to 24 versions supported, 14 binding anonymously, 76 browsers requirements, 22 settings, 23
C
cell manager, defined, 165 cell, defined, 164 classpaths, validating, 201 clustering about, 164 horizontal, 165 setting up Shared Services using, 163 vertical, 165 WebLogic application servers, 175 WebSphere 5.1.1, 167 configuration for external authentication, 73 for Shared Services server, 41 configuration file, defined, 64 configuration files, backing up, 188 Configuration Utility application server deployment, 47 database configuration, 44 database user rights, 42 described, 42 launching, 43 log file, 55 mail server configuration, 46
B
backing up, Shared Services data, 187 Base DN, LDAP/MSAD, 76 BEA WebLogic application server configuring for Shared Services, 141 to 142
Index A
203
order of tasks, 43 ports for application servers, 47 ports for databases, 44 prerequisites, 42 reconfiguration, 54 task list, 42 troubleshooting, 55 upgrades and, 43 CONNECT privilege, 25 cookies, enabling, 23 CREATE privilege, 25 CREATE TRIGGER, DROP TRIGGER AND MODIFY TRIGGER privilege, 25 CSS.xml file manually configuring, 88 samples, 191 viewing, 200 custom installation, 35 custom object-class entries for LDAP/MSAD groups, 93 for LDAP/MSAD users, 92
Hyperion Download Center, 16 Hyperion Solutions Web site, 16 Information Map, 16 online help, 16 Domain property for NT LAN Manager configuration, 81
E
e-mail attribute, 91 e-mail server, configuring, 46 error messages, configuring, 87 error, logging level, 87 exporting provisioning data, 15 external authentication, 34 configuration, 73 debug, 196 defined, 64 deleting a provider, 95 introduction, 61 External Authentication Configuration Console, about, 14
F D
databases backing up, 188 hardware requirements, 22 IBM DB2, 24 MySQL, 24 Oracle, 24 recovering data, 189 SQL Server, 24 supported, 13 DB2 databases versions supported, 24 debug logging level, 87 Shared Services, 196 deployment scenario Active Directory, 111, 114 to 116 LDAP, 110, 114 to 115, 117 NT LAN Manager, 112 to 115, 118 to 119 directory, home, 34 disk space requirements, 22 documentation, for Shared Services, 15 documents, accessing fatal, logging level, 87 files installed, 35 first-name attribute, 90 fnAttribute property, 90 folders installed HSS_HOME directory, 35 HYPERION_HOME directory, 36
G
group name attribute, 93 Group URL, 77 groups, location of in directory, 77
H
hardware load balancer, using, 166 hardware requirements application Web server, 22 to 23 databases, 22 overview, 22 home directory, 34 horizontal clustering, 165 host name, LDAP/MSAD, 76 HP-UX
204
Index D
versions supported, 24 HTTPS, enabling for WebLogic version 8.1, 53 Hub, uninstalling, 58 Hyperion Configuration Utility. See Configuration Utility Hyperion Home, 36 Hyperion Hub, uninstalling, 58 Hyperion License Server, 12 Hyperion product, default port numbers, 27 Hyperion Remote Authentication Module, 81 Hyperion security platform, about, 16 HYPERION_HOME environment variable, 36
Java Virtual Machine (JVM) determining the system properties in, 201 JDBC drivers, installing, 13
L
LDAP adding or configuring the provider, 75 Base DN, 76 host name, 76 port number, 76 provider configuration name, 75 LDAP deployment scenario, 110, 114 to 115, 117 License Server, 12 Linux versions supported, 24 load balancing about, 165 defined, 165 hardware, 166 software, 167 logging levels configuring the preferred logging priority, 87 setting for Shared Services, 196 setting for the OpenLDAP database, 197 login attribute, 89 login, expiration setting, 87 logs configuration files, 196 list of Shared Services log files, 197 setting messages to debug, 196
I
IBM DB2 databases versions supported, 24 IBM WebSphere application server configuring for Shared Services, 123 requirements, 26 versions supported, 14, 23 to 24 identity, defined, 64 import/export utility (provisioning data), 15 importing provisioning data, 15 info, logging level, 87 install setup program, 33 installation hardware requirements, 22 JDBC drivers, 13 location, 34 overview, 11 planning, 21 post installation tasks, 40 running silent, 39 setup program, 33 software requirements, 22 to 23 uninstalling, 58 wizard, 33 installation checklist, 17 installing Shared Services, 31
M
mail server, configuring, 46 managed server, defined, 164 manual configuration of CSS.xml file, 88 maximum result-set size from query of LDAP/MSAD, 79 from query of NTLM, 82 maxSize property (LDAP/MSAD), 79 maxSize property (NTLM), 82 memory requirements relational database, 22 Shared Services, 22 messages, configuring, 87
J
Java application server requirements, 23 Java database connectivity (JDBC) driver requirements, 23 Java Development Kit (JDK), 34 Java script, enabling, 23
Index I
205
Microsoft Active Directory adding or configuring the provider, 75 provider configuration name, 75 Microsoft SQL Server databases version supported, 24 MySQL databases version supported, 24 MySQL service, 35
Oracle databases, 24 minimum privileges, 25 ou value, 77
P
passwords and trust settings (LDAP/Active Directory), 77 and trust settings (NTLM), 82 planning installations, 21 port numbers about default, 27 default for Remote Method Invocation (RMI) servers, 28 LDAP/MSAD, 76 post installation tasks, 40 privileges required for Oracle databases, 25 processor requirements, 22 properties not available in Shared Services, 88 property element for MSAD referrals support, 94 provider deleting, 95 provider configuration name (LDAP/MSAD), 75 provider configuration name (NTLM), 80 provisioning data exporting, 15 importing, 15 proxy plug-in, using, 167
N
nameAttribute property, 93 Netegrity SiteMinder, 63 Network File System (NFS) protocol, 26 NFS protocol, 26 node agent, defined, 164 node, defined, 164 NT LAN Manager adding or configuring the provider, 80 configuration pre-requisites, 69 domain specification, 81 provider configuration name, 80 Remote Authentication Module, 81 required user rights, 69 NT LAN Manager deployment scenario, 112 to 115, 118 to 119
O
object-class entries for LDAP/MSAD groups, 93 for LDAP/MSAD users, 92 OpenLDAP database and NFS, 26 backing up, 188 exporting, 15 recovery, 201 setting log levels for, 197 setting up SSL on, 98 synchronizing with the relational database, 201 OpenLDAP environment, replicating, 183 OpenLDAP service, 35 OpenLDAP startup commands, 198 Oracle application server configuring for Shared Services, 153 software requirements, 23 to 24 version supported, 14
R
recovering OpenLDAP database, 201 Shared Services data, 187 referrals, Active Directory, 94 relational databases backing up, 188 recovering data, 189 software requirements, 24 supported, 13 synchronizing with the OpenLDAP database, 201 relational server requirements, 22 Remote Authentication Module deployment scenario, 119 specifying a location, 81 Remote Method Invocation (RMI) servers, default port numbers for, 28
206
Index N
requirements browsers, 22 databases, 22 disk space, 22 hardware, 22 memory relational database, 22 Shared Services, 22 relational server, 22 Shared Services server, 22 Shared Services software, 23 software, 22 to 23 Web server, 22 RESOURCE privilege, 25 results setting maximum size (LDAP/MSAD), 79 setting maximum size (NTLM), 82
components, 12 configuring BEA WebLogic application server, 141 to 142 configuring for external authentication, 73 configuring IBM WebSphere application servers, 123 configuring Oracle application server, 153 custom installation, 35 debugging, 196 default port numbers, 27 documentation, 15 folders/files installed, 35 installation checklist, 17 installation location, 34 installation sequence, 17 introduction, 12 location of files, 34 log configuration files, 196 log files, 197 reconfiguring, 54 running silent installations, 39 server components, 12 server requirements, 22 setting up on multiple servers, 28 setting up using clustering, 163 software requirements, 23 starting, 50 stopping, 52 supported application servers, 13 supported databases, 13 typical installation, 35 uninstalling, 58 upgrading, 32 user management, 16 utilities for troubleshooting, 200 Shared Services data, backup and recovery, 187 Shared Services databases, about, 188 Shared Services installation, overview, 11 Shared Services mail server, 46 Shared Services models, debugging, 196 Shared Services taskflows, debugging, 196 Shared Services User Management Console accessing, 202 debugging, 196 SharedServices_Admin.log file, 197 SharedServices_Metadata.log file, 197
S
sample configurations, 191 SAP adding or configuring the provider, 83 prerequisites, 84 single sign-on and, 83 users, roles, and activity groups, 86 search order for providers, setting, 86 Secure Sockets Layer (SSL) enabling, 79, 97 setting up on OpenLDAP, 98 setting up on Tomcat, 99 security agent about, 63 defined, 64 SSL, 97 security platform about, 16 defined, 64 security, about, 16 services installed with Shared Services, 35 session timeout, Weblogic on HP-UX, 54 setup program, 33 Shared Services about, 12 backing up, 188
Index S
207
SharedServices_Security.log file, 197 SharedServices_Security_Client.log file, 197 SharedServices_SyncOpenLDAP.log file, 197 SharedServices_Taskflow.log file, 197 SharedServices_Taskflow_CMDExecute.log file, 197 SharedServices_Taskflow_Optimize.log file, 197 shutdown commands for Shared Services server, 52 port numbers, 27 shutting down Shared Services, 52 silent installations, running, 39 single sign-on defined, 64 overview, 61 SiteMinder and trust settings, 78 deployment scenario, 120 using, 63 snAttribute property, 91 software load balancer using, 167 software requirements overview, 22 Shared Services, 22 summary, 23 Solaris versions supported, 24 SQL Server databases version supported, 24 SSL enabling, 79, 97 port numbers, 27 setting up on OpenLDAP, 98 setting up on Tomcat, 99 starting Shared Services, 50 startup commands for OpenLDAP, 198 for Shared Services server, 50 port numbers, 27 verifying, 51 stopping Shared Services, 52 surname attribute, 91
T
timeout, for an authentication token, 87 timeout, WebLogic on HP-UX, 54 tokens about, 62 and trust settings (LDAP/Active Directory), 77 and trust settings (NTLM), 82 defined, 64 timeout, 87 Tomcat application server setting up SSL on, 99 version supported, 13 trust setting LDAP/Active Directory, 77 NT LAN Manager, 82 typical installation, 35
U
uninstalling Shared Services, 58 upgrading Shared Services, 32 URL for CSS.xml file, 200 of LDAP/MSAD provider, 76 user account, default for connecting to a directory, 76 User DN and Password, 76 user entries, uniquely identifying in LDAP/MSAD, 89 user list maximum size of (LDAP/MSAD), 79 maximum size of (NTLM), 82 user management about, 16 introduction, 61 User Management Console about, 15 accessing, 202 launching URL
for User Management Console, 51

user policies, required for NT LAN Manager, 69 user provisioning, introduction, 61 User URL, 77 users, location of in directory, 77 utilities backup/recover, 188 determining the system properties in the JVM, 201
208
Index T
for troubleshooting Shared Services, 200 sync OpenLDAP, 201 to validate classpaths, 201
V
validating classpaths, 201 verifying startup, 51 vertical clustering, 165
W
warn, logging level, 87 Web access management solutions, using, 63 Web application servers, supported versions, 13 Web server, hardware requirements, 22 to 23 WebLogic application server clustering, 175 configuring for Shared Services, 141 to 142 default session timeout, 54 enabling HTTPS for version 8.1, 53 requirements, 26 versions supported, 14 WebSphere application server clustering version 5.1.1, 167 configuring for Shared Services, 123 requirements, 26 versions supported, 14 Windows versions supported, 24 Windows services installed with Shared Services, 35 starting, 50 wizard, installation, 33
X
XML sample configurations, 191
Index V
209
210
Index X
Index X
211
212
Index X

Hss Install

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hss Install

Uploaded by

Copyright:

Available Formats

HYPERION

Accessing the User Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Oracles Hyperion Shared Services Installation Overview

Oracles Hyperion Shared Services Installation Overview

Hyperion Shared Services Introduction

Shared Services Components

Shared Services Server

Oracles Hyperion Shared Services Installation Overview

Hyperion Shared Services User Management Console Import/Export Utility

Web Application Servers

Apache Tomcat BEA WebLogic IBM WebSphere Oracle Application Server

Shared Services Components

BEA WebLogic Application Server

IBM WebSphere Application Server

Oracle Application Server 10g

Hyperion Configuration Utility

External Authentication Configuration Console

Oracles Hyperion Shared Services Installation Overview

User Management Console

Shared Services Documentation

Shared Services Components

All Shared Services documentation is accessible from the following locations:

Hyperion Security Platform

Shared Services User Management

Oracles Hyperion Shared Services Installation Overview

Shared Services Installation Sequence

Product Component Shared Services installer Hyperion Configuration Utility

Documentation Shared Services Installation Guide

Shared Services External Authentication Configuration Console

Shared Services Installation Guide

Hyperion product installers Hyperion Configuration Utility

Product installation guides Product installation guides

Shared Services User Management Console

Shared Services User Management Guide

Shared Services Installation Sequence

REFERENCE Chapter 4, Installing and Upgrading Shared Services

Chapter 10, Configuring External Authentication for Shared Services

Shared Services Installation Sequence

REFERENCE Hyperion Product Installation Guide

REFERENCE Hyperion Product Installation Guide

REFERENCE Hyperion Shared Services User Management Guide

Shared Services Installation Sequence

Shared Services Installation Sequence

Planning the Shared Services Installation

Planning the Shared Services Installation

Small application10-20 MB Medium application50-60 MB Large application100-200 MB

Shared Services Server Requirements

Planning the Shared Services Installation

Shared Services Component Software Requirements

JDBC (Java database connectivity) driver

Ensure that default browser preferences and options are enabled:

Software Requirements Summary Table

Operating System Windows

Sun Solaris 9, 10 HP-UX

Shared Services software requirements:

Microsoft SQL Server:

Planning the Shared Services Installation

Component JDBC drivers

CONNECT RESOURCE CREATE

CREATE TRIGGER, DROP TRIGGER AND MODIFY TRIGGER

Planning the Shared Services Installation

Port Numbers Used By Hyperion Products

Essbase Smart View Provider Oracles Hyperion Workspace