Professional Documents
Culture Documents
SHARED SERVICES
RELEASE 9.2.1
INSTALLATION GUIDE
Hyperion Shared Services, Release 9.2.1 Installation Guide Copyright 2004, 2007, Oracle and/or its affiliates. All rights reserved. Authors: Michelle Cohen The Programs (which include both the software and documentation) contain proprietary information; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrial property laws. Reverse engineering, disassembly, or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited. The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose. If the Programs are delivered to the United States Government or anyone licensing or using the Programs on behalf of the United States Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are commercial computer software or commercial technical data pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the Programs, including documentation and technical data, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement, and, to the extent applicable, the additional rights set forth in FAR 52.227-19, Commercial Computer Software--Restricted Rights (June 1987). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065. The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup, redundancy and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and we disclaim liability for any damages caused by such use of the Programs. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. The Programs may provide links to Web sites and access to content, products, and services from third parties. Oracle is not responsible for the availability of, or any content provided on, third-party Web sites. You bear all risks associated with the use of such content. If you choose to purchase any products or services from a third party, the relationship is directly between you and the third party. Oracle is not responsible for: (a) the quality of third-party products or services; or (b) fulfilling any of the terms of the agreement with the third party, including delivery of products or services and warranty obligations related to purchased products or services. Oracle is not responsible for any loss or damage of any sort that you may incur from dealing with any third party.
Contents
CHAPTER 1 Oracles Hyperion Shared Services Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Hyperion Shared Services Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Shared Services Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Shared Services Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Shared Services Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Hyperion Security Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Shared Services User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 CHAPTER 2 Shared Services Installation Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 CHAPTER 3 Planning the Shared Services Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Relational Database Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Shared Services Server Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Shared Services Component Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Browser Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Software Requirements Summary Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Installation Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Port Numbers Used By Hyperion Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Default Port Numbers for Remote Method Invocation (RMI) Servers . . . . . . . . . . . . . . . 28 Setting Up Shared Services on Multiple Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 OpenLDAP Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Shared Services Backup and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Sample Shared Services Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Standard Shared Services Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Shared Services with Replicated Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Sample Configuration of Clustered Shared Services with Replicated Databases . . . . . . . . 30 CHAPTER 4 Installing and Upgrading Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Upgrading Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Launching Installers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Running the Installation Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Contents
iii
What Happens During Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Files Installed in the HSS_HOME Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Installing JDK on AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 About Hyperion Home . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hyperion Home Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Files Installed in the HYPERION_HOME Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing the Hyperion Home Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 37 37 38
Running Silent Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Postinstallation Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 CHAPTER 5 Configuring and Setting Up Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Hyperion Configuration Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Task Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Configuring Product Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Launching the Configuration Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Configuring Relational Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Changing the Database Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Configuring the Mail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Deploying Shared Services to an Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Postconfiguration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Backing Up Shared Services Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Starting Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Verifying Successful Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Stopping Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deploying WebLogic When Connected Through a Proxy Server . . . . . . . . . . . . . . . . . . . Enabling HTTPS for WebLogic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Updating the Default Session Timeout for WebLogic 8.1 on HP-UX . . . . . . . . . . . . . . . . 51 52 53 53 54
Reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Configuration Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 CHAPTER 6 Uninstalling Shared Services and Hyperion Hub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 About Uninstalling Shared Services and Hyperion Hub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Uninstalling Shared Services and Hyperion Hub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Uninstalling Hyperion Hub Release 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Uninstalling Hyperion Hub Release 7.0.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Uninstalling Hyperion Hub Release 7.2.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Uninstalling Shared Services Release 9.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 58 58 59 59
CHAPTER 7 About External Authentication and Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 About External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 About Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 About Support for SiteMinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
iv
Contents
External Authentication and Single Sign-On Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 CHAPTER 8 Implementing Hyperion External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Workflow for Setting Up External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Preparing to Implement External Authentication and Single Sign-On . . . . . . . . . . . . . . . . . . . 66 CHAPTER 9 Using NT LAN Manager for External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Setting Up User Rights for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Setting Up User Rights on Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Setting Up User Rights on Windows 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 UNIX Application Support for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Multiple-Domain Support for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 CHAPTER 10 Configuring External Authentication for Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 How Configuration Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Launching the External Authentication Configuration Console . . . . . . . . . . . . . . . . . . . . . . . . 74 Adding or Editing an LDAP or MSAD Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Naming the Provider Configuration (Required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Specifying Hostname, Port, and Base DN (Required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Setting a Read-Only User Account or Selecting an Anonymous Bind (Required) . . . . . . 76 Specifying the Location of Users (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Specifying the Location of Groups (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Specifying the Provider Trust Setting (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Setting Maximum Result-Set Size (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Setting Authorization Type (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Completing the Configuration (Required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Adding or Editing an NT LAN Manager Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Naming the Provider Configuration (Required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Specifying the Domain (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Specifying a Remote Authentication Module Location (Optional) . . . . . . . . . . . . . . . . . . 81 Specifying the Provider Trust Setting (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Setting Maximum Result-Set Size (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Completing the Configuration (Required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Working with an SAP Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Adding an SAP Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Provisioning SAP Users/Activity Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Setting the Search Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Setting the Token Time-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Configuring the Preferred Logging Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Enabling the Security Agent for Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Additional Configuration Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Configuring the User Login Attribute (Optional, LDAP/MSAD Only) . . . . . . . . . . . . . . . 89 Configuring the User First-Name Attribute (Optional, LDAP/MSAD Only) . . . . . . . . . . 90
Contents
Configuring the User Surname Attribute (Optional, LDAP/MSAD Only) . . . . . . . . . . . . Configuring the User E-mail Attribute (Optional, LDAP/MSAD Only) . . . . . . . . . . . . . Adding Custom User Object-Class Entries (Optional, LDAP/MSAD Only) . . . . . . . . . . Configuring the Group Name Attribute (Optional, LDAP/MSAD Only) . . . . . . . . . . . . Adding Custom Group Object-Class Entries (Optional, LDAP/MSAD Only) . . . . . . . . . Adding Referral Support (Optional, MSAD Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
91 91 92 93 93 94
Deleting a Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Notes About User and Group Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Configuring SiteMinder Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the SiteMinder Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the SiteMinder Web Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling SiteMinder Authentication in the Shared Services Configuration . . . . . . . . . . . Deployment Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Secure Sockets Layer (SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling the Use of SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting Up SSL on OpenLDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting Up SSL on Apache Tomcat 5.0.28 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 96 96 97 97 97 98 98 99
CHAPTER 11 Using the Hyperion Remote Authentication Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 About the Hyperion Remote Authentication Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 UNIX Application Support for NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Multiple-Domain Support for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Installing the Remote Authentication Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Configuring and Starting the Remote Authentication Module . . . . . . . . . . . . . . . . . . . . . . . . 106 CHAPTER 12 Sample External Authentication Deployment Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Single LDAP Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Single Microsoft Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 UNIX Application and Single NTLM Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Windows Application and Single NTLM Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 UNIX Application Against LDAP, MSAD, and NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Windows Application Against LDAP, MSAD, and NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Multiple MSAD Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Multiple LDAP Directory Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Multiple NTLM Domains with Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Multiple Untrusted NTLM Domains Connected with Hyperion Remote Authentication Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Single Sign-On with SiteMinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Deployment References from LDAP Product Vendors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 APPENDIX A Manual Deployment to WebSphere Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Location References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
vi
Contents
Basic Deployment Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Define Environment Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Create the Shared Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Add a Transport Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Deploy the WAR File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Override Session Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Change the HTTP Cookie Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Increase JVM Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Modify Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Detailed Deployment Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 WebSphere 5.1.1.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 WebSphere 6.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Increasing the Memory Allocation for JVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Troubleshooting the WebSphere Application Server Configuration . . . . . . . . . . . . . . . . 134 Modifying Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Driver Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Adapter Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Files To Modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 APPENDIX B Manual Deployment to WebLogic Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Location References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Basic Deployment Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Create a New WebLogic Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Unpackage the WAR File and Copy Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Deploy the Web Application Modules to the SharedServices Server . . . . . . . . . . . . . . . . 144 Modify Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Update the Classpath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Copy/Modify Additional Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Detailed Deployment Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Modifying Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Driver Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Adapter Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Files To Modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 APPENDIX C Manual Deployment to Oracle 10g Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Location References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Basic Deployment Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Modify Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Deploy the Web Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Set the Classpaths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Contents
vii
Change the Oracle HTTP Server Listen Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Detailed Deployment Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Modifying Files After Manual Application Server Configuration . . . . . . . . . . . . . . . . . . . . . . Driver Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adapter Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Files To Modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 158 158 158 159
APPENDIX D Setting Up Shared Services Using Clustering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 About Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 About Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Using a Hardware Load Balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Using a Software Load Balancer (Proxy Plug-In) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 WebSphere Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 WebLogic Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Replicating the OpenLDAP Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 APPENDIX E Shared Services Backup and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Backing Up Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Files Backed Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Recovering Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Running the Sync OpenLDAP Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 APPENDIX F Sample Configuration XML Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Basic XML Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Extended XML Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 APPENDIX G Troubleshooting the Shared Services Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Shared Services Log Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Debugging Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Shared Services Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Setting Log Levels for the OpenLDAP Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Troubleshooting OpenLDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Utilities for Troubleshooting Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing the CSS.xml File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sync OpenLDAP Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OpenLDAP Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Validating Classpaths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Determining the System Properties in the Java Virtual Machine (JVM) . . . . . . . . . . . . 200 200 201 201 201 201
viii
Contents
Chapter
1
In This Chapter
This chapter introduces Hyperion products and describes the Shared Services components.
11
User provisioning External authentication definition Metadata synchronization Data synchronization Task flow management
The Hyperion System 9 Shared Services User Management Guide (on the Oracle E-Delivery site) describes user-provisioning functionality. Chapter 7, About External Authentication and Single Sign-On of this guide describes external authentication configuration. All other Shared Services functionality is described in the administrators and users guides for the products that implement Shared Services. Products that implement Shared Services functionality require access to a Shared Services server running Shared Services client and server software, and to a database dedicated to Shared Services.
Shared Services Server on page 12 Shared Services Documentation on page 15 Hyperion Security Platform on page 16 Shared Services User Management on page 16
Hyperion License Server and standalone license files are no longer used for license management. Instead, administrators need to audit product use. To ensure compliance with your license agreement, you need to edit a properties file to activate or deactivate features in accordance with what you have purchased. For more information about license compliance, see the Hyperion License Compliance Readme (hyp_license_compliance_readme.pdf ), which you can find on your product DVD or on the Oracle E-Delivery site.
Databases (relational and OpenLDAP) Web application server Hyperion Configuration Utility External Authentication Configuration Console
12
You only need to install the Shared Services server to one computer and does not need to reside on the same computer as products registering with Shared Services. Descriptions of the Shared Services server components follow.
Databases
Shared Services stores its data in two databases:
An OpenLDAP database The OpenLDAP database stores the security-services-related data. Shared Services automatically installs OpenLDAP as a Windows service, configures it, and starts it after installation.
A relational database The relational database stores the event, administrator, and metadata-services-related data. For a list of supported relational databases, see Software Requirements Summary Table on page 23.
For all supported database software, the installation installs the required JDBC drivers. To assist you in getting started quickly, Hyperion provides the MySQL relational database. Because MySQL is not intended to support large user communities in production environments, it is recommended it be deployed only in a test or demonstration environment where a small number of individuals access and use the software. Following Shared Services installation, you must complete the configuration process as specified in Chapter 5, Configuring and Setting Up Shared Services.
Apache Tomcat
The installation installs and configures Apache Tomcat version 5.0.28 to run with Shared Services.
13
Note: Hyperion provides Apache Tomcat on the installation media for convenience if you want to use it for your deployment. Hyperion does not own or maintain the Apache Tomcat application server and is not responsible for problems you may encounter with its functionality. Hyperion, however, fully supports the use of Apache Tomcat in its products. In deployments where customers require high availability or failover, Hyperion recommends you deploy a commercially supported application server where these capabilities are supported.
You must install the application server yourself. For 8.1.4, you can deploy the application server using the Hyperion Configuration Utility. Following Shared Services installation, complete the configuration process as specified in Chapter 5, Configuring and Setting Up Shared Services. For 9.2, following installation, you must deploy manually to the application server. See Appendix B, Manual Deployment to WebLogic Application Server.
You must install WebSphere yourself. For 5.1.1.7, you can deploy the application server using the Hyperion Configuration Utility. Following Shared Services installation, complete the configuration process as specified in Chapter 5, Configuring and Setting Up Shared Services. For 6.1, following installation, you must deploy manually to the application server. See Appendix A, Manual Deployment to WebSphere Application Server.
You must install the application server yourself. Following installation, you must deploy manually to the application server. See Appendix C, Manual Deployment to Oracle 10g Application Server.
14
Managing projects and applications within projects Provisioning users and groups for applications Managing the Shared Services native directory
The console software is installed with Shared Services server. See the Hyperion System 9 Shared Services User Management Guide.
Import/Export Utility
The Import/Export utility is a standalone command line utility that exports, imports, and validates Shared Services provisioning data. The Import/Export utility includes these components:
Batch file (Windows) or shell file (UNIX) to invoke the operation Properties file to configure the utility XML configuration file CSV data file
For more information and instructions, see the PDF file that is packaged with the utility as part of the Shared Services installation:
<Hyperion_Home>/common/utilities/CSSImportExportUtility
Hyperion System 9 Shared Services Information Map Lists the documentation available for Shared Services and provides links to installed documentation.
Hyperion Installation Start Here Lists high-level tasks for multiple-product installations.
Hyperion Shared Services Readme Contains late-breaking information about Shared Services.
Hyperion Shared Services Installation Guide Describes how to install and configure the Shared Services server and set up external authentication providers for use with Hyperion products.
External Authentication Configuration Console Online Help Describes how to use the External Authentication Configuration Console.
Hyperion System 9 Shared Services User Management Guide Describes how to set up and administer Hyperion users.
15
Hyperion System 9 Shared Services User Management Console Online Help Describes how to use the User Management Console to manage user accounts on Hyperion applications.
Oracle E-Delivery Web site (http://edelivery.oracle.com/) Oracle Technology Network (http://www.oracle.com/technology/index.html) The product DVD The Information Map, available from the Shared Services Help menu for all operating systems On Windows, it is also available from the Start menu.
Online help, available from within Shared Services consoles After you log on, you can access online help by clicking Help or selecting the Help menu.
16
Chapter
This chapter provides information about installing, configuring, and setting up Shared Services: High-level task flow identifying basic steps Installation checklist identifying detailed steps for installation and configuration
Step
Instruction Install Hyperion Shared Services and configure the Shared Services application server and RDBMS. Configure Shared Services to authenticate user names that are stored externally in LDAP Active Directory, or Windows NT LAN , Manager, enabling single sign-on. Install Hyperion products. Configure Hyperion products and register them with Shared Services. You can configure multiple products at one time, if they are installed on the same computer. Create projects, add applications to projects, and provision users for applications.
3 4
The detailed checklist below lists the steps required for a successful installation of Shared Services. Chapter numbers refer to the Hyperion Shared Services Installation Guide unless otherwise noted. If you are upgrading, see Upgrading Shared Services on page 32. Before you begin the installation process, ensure you meet the hardware and software system requirements described in Chapter 3, Planning the Shared Services Installation.
17
INSTALL SHARED SERVICES AND CONFIGURE THE SHARED SERVICES APPLICATION SERVER AND RDBMS 1. Ensure the database software you are using for Shared Services is installed and operational. 2. Download Shared Services software and documentation from the Oracle EDelivery site and install Shared Services. 3. Configure the Shared Services application server and RDBMS.
Chapter 5, Configuring and Setting Up Shared Services REFERENCE Chapter 9, Using NT LAN Manager for External Authentication
CONFIGURE THE SHARED SERVICES EXTERNAL AUTHENTICATION PROVIDER 1. If enabling one or more Hyperion applications to use external authentication of users in a Windows NT LAN Manager (NTLM) domain, set up the environment and user rights for NTLM support. 2. Ensure Shared Services server is running. 3. Using Shared Services, configure the External Authentication Provider to use:
Windows NT LAN Manager (NTLM) Lightweight Directory Access Protocol (LDAP) Microsoft Active Directory (MSAD)
Shared Services writes your configuration information to a central XML-based security configuration file that is generated by Shared Services. Hyperion products reference the security configuration file for single sign-on of external and remote users. 4. Optionally, set up the environment for Netegrity Single Sign-On, configure Shared Services to use Single Socket Layers, and install the Hyperion Remote Authentication Module. Chapter 10, Configuring External Authentication for Shared Services Chapter 11, Using the Hyperion Remote Authentication Module
18
INSTALL HYPERION PRODUCTS Download Hyperion software and documentation from the Oracle E-Delivery site and install Hyperion products.
CONFIGURE HYPERION PRODUCTS Activate and configure Hyperion products and register them with Shared Services using Hyperion Configuration Utility:
Specify the Shared Services server location. Configure relational databases and repositories for your product. Autodeploy products to application servers (recommended), or select the Manual Deployment option to configure the deployment manually. Create a properties file for your product.
Note: Shared Services server must be running before you can perform this task.
ASSIGN ROLES FOR SHARED SERVICES USER MANAGEMENT AND PROVISION USERS A Shared Services administrator must perform the following tasks:
Assign the Project Manager role to users who are responsible for creating projects and assigning applications to projects. For each application, assign the Provisioning Manger role to users who are responsible for assigning roles and access control permissions to users of the application. Assign the Directory Manager role to users who are responsible for managing the native Shared Services directory.
Project Managers can create projects and add applications to projects as necessary. Provisioning Managers for each application can provision users and groups (assign roles and access control permissions) for their applications.
19
20
Chapter
This chapter contains requirements for a representative deployment (up to 150 total users, 3040 concurrent users, one Shared Services application) and does not contain sizing guidelines. For information on sizing guidelines, see to the Hyperion Business Performance Management Deployment Guide located on the product page on the Oracle E-Delivery site. For larger deployments, Hyperion highly recommends you call Hyperion Consulting Services to determine the correct number of servers for your environment. This chapter details the hardware and operating system requirements, software and browser requirements, and prerequisites. It also explains how to plan for clustering of Shared Services and Shared Services backup and recovery.
In This Chapter
Hardware Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Installation Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Port Numbers Used By Hyperion Products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Setting Up Shared Services on Multiple Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 OpenLDAP Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Shared Services Backup and Recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Sample Shared Services Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
21
Hardware Requirements
Relational Database Hardware Requirements
Shared Services relational database hardware requirements:
Database Server Component Microprocessor Memory Disk spacegeneral guidelines Hardware Requirements Intel Pentium III or later 256 MB, 512 recommended (For optimal performance, see the vendor documentation.)
Software Requirements
The following topics outline software requirements and browser settings for Shared Services:
Shared Services Component Software Requirements on page 23 Browser Settings on page 23 Software Requirements Summary Table on page 23
22
IBM WebSphere 5.1.1.7 and 6.11 BEA WebLogic 8.1.4 and 9.22 Apache Tomcat 5.0.28 (provided by Shared Services installation) Oracle 10g Release 3 (10.1.3.1.0)3 Hyperion JDBC DataDirect 3.6 build 24 (provided by Shared Services installation) Hyperion JDBC MySQL 3.0.8
1 WebSphere 6.1 is supported only via full manual deployment. For instructions, see Appendix A, Manual Deployment to WebSphere Application Server. 2 WebLogic 9.2 is supported only via full manual deployment. For instructions, see Appendix B, Manual Deployment to WebLogic Application Server. 3 Oracle 10.1.3.1.0 is supported only via full manual deployment. For instructions, see Appendix C, Manual Deployment to Oracle 10g Application Server.
Browser Settings
Browser Microsoft Internet Explorer Firefox Supported Versions 6.0 and 7.0 2.0.0.3
Enable JavaScript Enable cookies (Preferred setting is to enable cookies to be stored on your computer. Minimum requirement is for each session level cookies set.)
Software Requirements
23
Supported Versions
Windows Server 2000 (SP4) Windows Server 2003 (SP1 and R2) Windows 2003 SP1 Windows 2000 Professional (client) Windows XP Professional (client) Windows Vista (Home series and above) Solaris 9, 10 HP-UX 11.11 HP-UX 11.23 AIX 5.2 ML3 AIX 5.3 ML8 Redhat Linux AS 4.0
AIX (required for the Shared Services OpenLDAP database) Redhat Linux
MySQL:
4.0.12 4.0.23 for 64-bit processors 9i - 9.2.0.5 10g - 10.1.0.5 10g - 10.2.0.2 11g Beta 8.2 (8.1 FP7) 9.1 2000 Service Pack 3a 2005 SP1
Oracle:
IBM DB2:
Application servers
IBM WebSphere:
5.1.1.7 6.1 8.1.4 9.2 10g - 10.1.3.1.0 5.0.28 (Does not support DB2 RDBMS.)
BEA WebLogic:
Oracle:
Apache Tomcat:
24
Software Requirements
SQLHyperion JDBC driver OracleHyperion JDBC driver DB2Hyperion JDBC driver Hyperion MySQL connect driver Microsoft Internet Explorer 6.0 and 7.0 Firefox 2.0.0.3 LDAP:
Browsers
Authentication Providers1
Sun One 5.2 Patch 4 Novell eDirectory 8.8 IBM Directory Server 5.1 Domino 6.0
NTLan Manager (NTLM) on 2000 and 2003 Microsoft Active Directory (MSAD) 2000 and 2003 Netegrity Siteminder 5.5 (SP2) OpenLDAP 2.3.37 (provided by Shared Services installation and automatically configured)
1 Requires installation of Hyperion Remote Authentication Module for UNIX authentication against NTLM. See Chapter 11, Using the Hyperion Remote Authentication Module.
Installation Prerequisites
Before installing Shared Services, meet these prerequisites:
To use Shared Services with a database other than MySQL, you must create a database and a user before installing Shared Services. Assign the appropriate rights to the user (see Prerequisites on page 42). For a list of supported databases, see Software Requirements on page 22. If Shared Services is being installed against an IBM DB2 database, increase the applheapsz DB2 configuration parameter to 4000. Use the following command to do this:
update db cfg for HUB_DB_NAME using applheapsz 4000
You must restart the IBM DB2 instance for this parameter to take effect.
To use Shared Services with an Oracle relational database, these privileges are the minimum required for the Shared Services Oracle database user:
Installation Prerequisites
25
For UNIX systems, do not run an OpenLDAP database on a Network File System (NFS) mounted protocol. To deploy Shared Services on an application server other than Apache Tomcat, you must install the application server and then install Shared Services. For a list of supported application servers, see Software Requirements on page 22. If you plan to deploy Shared Services on a BEA WebLogic application server, note these requirements:
Shared Services cannot be installed to directories with names containing spaces; for example, c:\Program Files. Shared Services cannot be automatically deployed to BEA WebLogic if WebLogic application server is not installed in BEA_HOME. If BEA WebLogic application server is installed outside BEA_HOME, the autodeployment process for Shared Services does not execute correctly. If you install in such an environment, use the manual deployment option to create the necessary Web archive and use the WebLogic application deployment tool to deploy the application to the required instance.
The auto-deployment process for Shared Services does not update the startup scripts for WebLogic to execute as a service. After installation, you must update the installSvc.cmd file with WLS_USER and WLS_PW (user and password) to run WebLogic as a service.
If you plan to deploy Shared Services on an IBM WebSphere application server, note these requirements:
You must install Shared Services on the computer hosting the IBM WebSphere application server. Shared Services cannot be installed to directories with names containing spaces; for example, c:\Program Files. On UNIX platforms, if you are using the IBM WebSphere application server, ensure you use the same account to install, deploy, and execute Hyperion products used to install WebSphere. Using one account ensures Hyperion Configuration Utility can successfully deploy Hyperion products to WebSphere.
Be aware of port usage so you can resolve port conflicts during configuration. See Port Numbers Used By Hyperion Products on page 27.
26
Hyperion Product Shared Services Application Builder J2EE Application Builder.NET Oracles Essbase Administration Services Analytic High Availability Services Planning Hyperion Translation Manager Oracles Hyperion Financial Reporting System 9 Oracles Hyperion Web Analysis System 9 Oracles Hyperion Business Modeling Oracles Hyperion Performance Scorecard System 9 Oracles Hyperion Performance Scorecard System 9 Alerting Enterprise Metrics
Listen Port 58080 21080 22080 10080 11080 8300 14080 8200
SSL Listen Port 58090 21090 22082 10090 11090 8300 14090
Shutdown Port for Apache Tomcat 58005 21005 22081 10005 11005 8301 14005 8201
16000
16001
17080 18080
17090 18090
17005 18005
18081
18091
18006
8180
8280 8205
8105
13080 19000
13090
13005 45001
27
OpenLDAP Replication
Load balancing and failover is also necessary in the OpenLDAP environment. For detailed information, see Replicating the OpenLDAP Environment on page 183.
Standard Shared Services Configuration on page 29 Shared Services with Replicated Databases on page 29 Sample Configuration of Clustered Shared Services with Replicated Databases on page 30
28
This figure depicts a standard deployment of Shared Services with replicated databases:
29
30
Chapter
4
In This Chapter
This chapter explains how to install Shared Services and describes what happens during installation.
Upgrading Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Launching Installers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Running the Installation Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 What Happens During Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Files Installed in the HSS_HOME Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Installing JDK on AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 About Hyperion Home . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Running Silent Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Postinstallation Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
31
To upgrade to this release of Shared Services from one of the releases mentioned above:
1 Verify that all preparation tasks are complete and all system requirements are met.
See Chapter 3, Planning the Shared Services Installation.
2 Stop all activities and processes connected to Shared Services, including the application server, the OpenLDAP
database, and all servers related to Shared Services.
Note: You do not need to uninstall the previous release of Shared Services or stop the relational database.
To stop Shared Services manually, execute the stop script. See Stopping Shared Services on page 52.
3 If the previous installation of Shared Services was a manual deployment, search on your system for the
external authentication configuration file (CSS.xml), and manually back it up.
4 Install this release of Shared Services over the existing installation. You must install the Shared Services files
to the previous installation directory.
See Launching Installers on page 33 and Running the Installation Wizard on page 33. Do not start Shared Services.
5 If you are upgrading from 9.0.x or from 7.2.5.2, and you previously deployed Shared Services to Apache
Tomcat as a Windows service, remove the Windows service before configuring the Shared Services application server.
To remove the Tomcat Windows service, from a command line, change to:
For 9.0.x:
<HSS_HOME>\AppServer\InstalledApps\Tomcat\5.0.28\ SharedServices9\bin
For 7.2.5.2:
\Hyperion\HyperionHub\7.2.1\deployments\Tomcat\4.1.30
Then type:
removeService.bat
6 Using Hyperion Configuration Utility, configure the Shared Services application server, RDBMS, and mail server.
You must select the option to re-use the existing database.
32
Note: You must ensure Shared Services is started before configuring other Hyperion products. If you upgrade Shared Services but do not upgrade other Hyperion products, you must reregister the other products with Shared Services using Hyperion Configuration Utility. For instructions, see the product installation guide.
8 If you are upgrading from 7.2.5.2, ensure the following tags are added to the external authentication
configuration file (CSS.xml):
a. The <hub> tag with a URL for the hostname. For example,
- <hub location="http://MCOHEN2:58080"> <dirPort>58089</dirPort> </hub>
Launching Installers
To launch the Shared Services installer from a self-extracting download file from Oracle EDelivery site:
Windowssetup.exe UNIXsetup.bin
Note: If you cannot execute setup.bin, use chmod to add execute privilege.
33
If the installation wizard detects a previous installation of Shared Services, you must install the Shared Services files to the same directory as the previous installation. If this is a new installation (no previous installation of Shared Services is detected), you can specify the directory in which to install the Shared Services files. Restrictions for this field:
You can enter only English alphanumeric characters and these special characters: dash ( - ), underscore ( _ ), plus sign ( + ), backslash ( \ ), forward slash ( / ), dot (.), colon ( : ) The colon character ( : ) is supported only for Windows platforms to specify the drive (for example, c:\).
If you are deploying Shared Services on a WebLogic or WebSphere application server, Shared Services cannot be installed to a directory whose name contains a space; for example, c:\Program Files.
Windowsc:\Hyperion\SharedServices\<releaseNumber> UNIX/home/username/Hyperion/SharedServices/<releaseNumber>
Hyperion common components are installed to a different directory than the Shared Services software. Common components are installed to a location called Hyperion Home (HYPERION_HOME\common). For more information, see About Hyperion Home on page 36. Restrictions for this field:
You can enter only English alphanumeric characters and these special characters: dash ( - ), underscore ( _ ), plus sign ( + ), backslash ( \ ), forward slash ( / ), dot (.), colon ( : ) The colon character ( : ) is supported only for Windows platforms to specify the drive (for example, c:\).
The Hyperion Home location cannot be a directory whose name contains a space; for example, c:\Program Files.
Note: On UNIX platforms, if the HYPERION_HOME directory is mounted on a Network File System (NFS) so that one HYPERION_HOME location is visible across multiple computers, Shared Services can only be installed to one computer. If you try to install Shared Services to another computer, the previous installation is detected.
In addition to the Shared Services files, the wizard installs shared components, such as Java Development Kit (JDK) files, Hyperion External Authentication Module files, and so on.
34
Note: For AIX, the Shared Services installer does not perform a full installation of JDK. For information about installing JDK on AIX, see Installing JDK on AIX on page 36.
After installation is complete, the installation wizard prompts you to launch Hyperion Configuration Utility, which enables you to perform key product activation and configuration tasks. See Postinstallation Tasks on page 40.
Creates directories and subdirectories under the location specified during installation In documentation, the directory Shared Services is installed is referred to as HSS_HOME. For a list of the Shared Services directories created during installation, see Files Installed in the HSS_HOME Directory on page 35.
Installs Hyperion common components to HYPERION_HOME\common For information about HYPERION_HOME and a list of directories created, see About Hyperion Home on page 36. After HYPERION_HOME is defined, you can run a migration utility to change its location. The Hyperion Home Migration Utility is provided with the Shared Services installation. See About Hyperion Home on page 36.
On UNIX, creates and starts a MySQL process. Installs documentation files to HSS_HOME\docs on the Shared Services computer See Shared Services Documentation on page 15.
On Windows, adds shortcuts to the Start menu Installs an uninstaller in HSS_HOME\uninstall See Chapter 6, Uninstalling Shared Services and Hyperion Hub.
35
Windowsc:\Hyperion\SharedServices\<releaseNumber> UNIX/home/username/Hyperion/SharedServices/<releaseNumber>
\AppServer
\InstallableAppsfiles required by the Configuration Utility for autodeployment \InstalledAppsfiles/directories created by Hyperion Configuration Utility during auto-deployment
Java APIs for applications to use Shared Services functionality Shared Services documentation files OpenLDAP database files Shared Services executable files, default relational database files, Java class files, and server locale files Files for uninstalling Shared Services
36
Directories Created in the HYPERION_HOME\common Directory Description Contains application server files Contains Configuration Utility files Contains files to support Hyperion external authentication Contains relational database management system (DBMS) files Contains installer user interface files Contains Java Cryptography Extension (JCE) files for encryption, key generation and key agreement, and Message Authentication Code (MAC) Contains Java Database Connectivity (JDBC) files Contains Java Development Kit (JDK) files Contains files for external authentication logging Contains one of the utilities needed to change the location of Hyperion Home For more information, see Changing the Hyperion Home Location on page 38.
Directory
appServers config CSS DBMS HyperionLookAndFeel JCE JDBC JDK loggers utilities
XML
37
Then type:
run.exe -console
Then type:
migrationtool.sh
Then type:
migrationtool.sh -console
2 Step through the screens, and when prompted, enter the Hyperion Home location or click Browse to
navigate to the desired location.
Do not choose a HYPERION_HOME location containing a space character. For example, C:\Program Files. The migration utility copies the entire Hyperion Home directory to the new location and replaces the value of the current HYPERION_HOME environment variable.
38
For Windows, the Hyperion Home Migration Utility updates the environment variable. For UNIX, the utility updates the .hyperion.<HOSTNAME> file in the home directory containing the environment variable. Login initialization files, such as .profile and .login are not updated on UNIX systems.
3 The regular (nonsilent) product installer is launched. 4 As you step through the installer, specify the settings to use.
The installation options are recorded in the response file. You can modify the response file to change installation options. You are now ready to run the installation in silent mode.
39
Postinstallation Tasks
After installation is complete, the installation wizard prompts you to launch Hyperion Configuration Utility. Hyperion Configuration Utility is a common tool that guides you through a series of pages to perform these Shared Services configuration tasks:
Configuring a relational database for Shared Services Configuring a mail server for Shared Services Deploying Shared Services on an application server
For detailed information about launching and running Hyperion Configuration Utility, see Chapter 5, Configuring and Setting Up Shared Services.
40
Chapter
This chapter describes how to configure Shared Services using Hyperion Configuration Utility. It provides instructions for configuring relational databases, deploying to an application server, and configuring the mail server. It also describes how to start and stop the Shared Services server.
In This Chapter
Hyperion Configuration Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Task Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Configuring Product Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Launching the Configuration Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Configuring Relational Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Configuring the Mail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Deploying Shared Services to an Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Postconfiguration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Verifying Successful Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Configuration Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
41
Relational Storage ConfigurationRequired to use a database to store and retrieve Shared Services data. See Configuring Relational Storage on page 44. Configure Mail ServerRequired if you are using task automation notifications. See Configuring the Mail Server on page 46. Application Server DeploymentRequired to deploy Shared Services to an application server. See Deploying Shared Services to an Application Server on page 47.
You can reconfigure Shared Services after the initial configuration, following the same procedures.
Note: You must configure Shared Services before configuring other Hyperion products installed on the same machine or on other machines. You do not need to install Shared Services on each machine where a product is installed.
When using the Configuration Utility to configure other Hyperion products, you are given the option to register products with Shared Services. Registering products is a required step before you can use Shared Services functionality. See the product installation guide.
Prerequisites
Complete these tasks before using the Configuration Utility:
Install the Shared Services server, but do not start it. It should be stopped during configuration. Install the application server that you plan to use. Prepare a database to use for relational storage. The database user that you specify during configuration should have the following user rights for the database: inserting seeded data and creating, deleting, and updating tables. See also Installation Prerequisites on page 25.
42
Task Sequence
When performing multiple configuration tasks in one session, the Configuration Utility orders the tasks appropriately. If you use the Configuration Utility to perform tasks individually, follow this order:
On the last page of the Shared Services installer, select the option to launch the Configuration Utility. On Windows, choose a method:
From Start, select Programs > Hyperion > Foundation Services > Configuration Utility. Double-click the configtool.bat file from:
%HYPERION_HOME%\common\config\
43
Then type:
startconfigtool.bat -console
Then type:
configtool.sh
Then type:
configtool.sh -console Note: If you are running the Configuration Utility in console mode, follow the command-line prompts.
2 On the welcome page, click Next. 3 From the list of installed products, select Shared Services and click Next.
A list of configuration tasks is displayed.
Configuring Relational Storage on page 44 Configuring the Mail Server on page 46 Deploying Shared Services to an Application Server on page 47
Note: You can select multiple tasks in one session. For Shared Services, Hyperion recommends you deploy the relational database and the application server together. However, if you decide to deploy them separately, deploy the application server first and then the relational database.
44
To configure a database:
1 Launch the Configuration Utility.
See Launching the Configuration Utility on page 43.
2 From the list of installed products, select Shared Services and click Next. 3 On the task selection page, select Relational Storage Configuration and click Next. 4 From the list of supported databases, select the database and click Next.
The relational storage configuration details page is displayed.
Note: If you are configuring a product upgrade, the fields on this page are read-only except for the password.
Database Configuration Fields Enter the computer name of the server hosting the database. Specify the server port number on which the database listens, or accept the default port:
Server Port
Displays the name of each product being configured and its install location. This field cannot be changed. Enter the database name or the Oracle System Identification (database instance). You can enter only English alphanumeric characters and the dash character (-). Enter the name of the database owner. Enter the password of the database owner.
Username Password
Drop all tables and create a new repository Reuse the existing repository (select this option if upgrading)
Note: If a database is detected, after running the Configuration Utility, Hyperion requires that you run the Sync OpenLDAP Utility to synchronize the differences between the relational repository and the OpenLDAP database. Selecting these database options does not synchronize the data automatically. For instructions, see Sync OpenLDAP Utility on page 201.
45
4 From the list of installed products, select Shared Services and click Next. 5 On the task selection page, select Relational Storage Configuration and click Next. 6 From the list of supported databases, select the database and click Next.
The relational storage configuration details page is displayed.
8 Click Next. 9 At the prompt to create a new repository or to reuse the existing repository, select Reuse the existing
repository.
Shared Services requires you to configure the mail server setting by identifying the Simple Mail Transfer Protocol (SMTP) server.
46
Caution! On UNIX platforms, if you are using IBM WebSphere application server, use the same account
to install, deploy, and execute Hyperion products that you use to install WebSphere. Using the same account ensures that products are deployed successfully.
2 From the list of installed products, select Shared Services and click Next. 3 On the task selection page, select Application Server Deployment and click Next. 4 From the list of supported application servers, select the application server and click Next.
A page is displayed that is specific to the selected application server.
47
Table 3
Application Server Configuration Fields Enter the path to the application server directory, or browse to the directory. For example:
Location
or
/opt/WebSphere/AppServer on UNIX
or
/opt/IBM/WebSphere/Express51/AppServer on UNIX
For WebLogic
c:\bea\weblogic81 on Windows
or
/opt/bea/weblogic81 on UNIX
For WebSphere, the Configuration Utility verifies that the specified WebSphere directory and the WebSphere temporary directory are set with Write permission. Write permission must be assigned before running the Configuration Utility.
For WebLogic, enter the path to the BEA Home directory (for example, c:\bea), or browse to and select the location. Enter your WebLogic username and password. Select this checkbox if you want to deploy as a manual Windows service. In the Windows service control panel, the service name is listed as:
Hyperion <Product> <AppServer><Version#>
For example:
Hyperion SharedServices9 WAS51
Manual Deployment
Select this checkbox to manually deploy to the application server. The Configuration Utility creates the necessary Web archives (EAR or WAR) to enable manual deployment at a future time. For more information, see the appendix for the application server you are using. Displays the name of each product or component being configured. This field cannot be changed. For example, if you are configuring Hyperion Reporting and Analysis, Intelligence and Web Analysis components may appear in this column. For products such as Essbase Administration Services, the product name appears as the component. Enter the name of the server where you can access the deployed product. You can enter only English alphanumeric characters and the dash character (-).
Component
ServerName
48
Table 3
Application Server Configuration Fields If you want to change the default port number that was set during installation, specify a different port number here. Otherwise, accept the default port number. The port number must not exceed 65535.
Port
Hyperion recommends using a port number greater than 1025 to avoid conflicts with third-party port assignments.
Each application port number must be unique. For a list of default port numbers, see Port Numbers Used By Hyperion Products on page 27. Domain (WebLogic only) Enter the name of the domain where you can access the deployed product. You can enter only English alphanumeric characters.
Note: For all application servers, if you chose to deploy automatically rather than manually, the Configuration Utility checks server disk space when starting deployment to ensure that the size of the EAR or WAR file (as specified in the product configuration file) is available for deployment. If the Configuration Utility indicates the available disk space is inadequate, you must specify a different location for storage of the EAR or WAR files in the product configuration file and then repeat the automatic deployment process. On WebSphere, if you chose to deploy automatically rather than manually, the Configuration Utility checks server disk space for the java.io.tempdir folder when starting deployment to ensure that at least four times the size of the EAR or WAR file (as specified in your product configuration file) is available for deployment. If the available disk space on the server is inadequate, the Configuration Utility relocates the java.io.tempdir file to the HYPERION_HOME\temp directory (HYPERION_HOME/temp directory for UNIX). After deployment is completed, the folder is automatically deleted.
6 Click Next to view configuration status. 7 Click Next to go to the next configuration task or to finish.
Postconfiguration Tasks
This section provides instructions for postconfiguration tasks:
Backing Up Shared Services Configuration Files on page 49 Starting Shared Services on page 50 Deploying WebLogic When Connected Through a Proxy Server on page 53 Enabling HTTPS for WebLogic on page 53 Updating the Default Session Timeout for WebLogic 8.1 on HP-UX on page 54
Postconfiguration Tasks
49
On Windows, select Start > Programs > Hyperion > Foundation Services > Start Shared Services. The menu item indicates which application server the Shared Services server is deployed to.
UNIX:
<HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/SharedServices9/ bin/startSharedServices9.sh
BEA WebLogic
Windows:
<HSS_HOME>\AppServer\InstalledApps\<AppServName>\<version>\SharedServices9\ startSharedServices.bat
UNIX:
<HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/SharedServices9/ startSharedServices.sh
Oracle
Windows:
<OracleInstallDir>\bin\emctl start iasconsole <OracleInstallDir>\opmn\bin\opmnctl startall
UNIX:
<OracleInstallDir>/bin/emctl start iasconsole <OracleInstallDir>/opmn/bin/opmnctl startall
Apache Tomcat
Windows:
<HSS_HOME>\AppServer\InstalledApps\<AppServName>\<version>\SharedServices9\ bin\startSharedServices9.bat
UNIX:
<HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/SharedServices9/ bin/startSharedServices9.sh
Note: <HSS_HOME> is the directory where Shared Services is installed; for example, c:\hyperion\SharedServices\9.2.
50
Database Configuration Test Passed Security System Initialized Successfully Shared Services Initialized Successfully
On UNIX, when Shared Services is deployed to the Tomcat application server, these confirmation messages are logged to the following file: <HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/
SharedServices9/logs/Catalina.out
When Shared Services is deployed to WebSphere, these confirmation messages are logged to the following file:
Windows:
<WebSphereInstallDir>\AppServer\logs\SharedServices9\SystemOut.log
UNIX:
<WebSphereInstallDir>/AppServer/logs/SharedServices9/SystemOut.log
On UNIX and Windows, when Shared Services is deployed to WebLogic, these confirmation messages are also logged to the following file, unless the log level is set to WARN:
Windows:
<HSS_HOME>\AppServer\InstalledApps\WebLogic\8.1\SharedServices9\ logs\SharedServices_Metadata.log
UNIX:
<HSS_HOME>/AppServer/InstalledApps/WebLogic/8.1/SharedServices9/ logs/SharedServices_Metadata.log
2 On the Shared Services server computer, launch the User Management Console login page using one of
these methods:
where SharedServicesServerName is the name of the computer where the Shared Services server is installed and port# is the Shared Services server port number. The default port number is 58080; if Shared Services server is installed to a non-default port, specify that value. For example, using the default port:
http://jdoe:58080/interop/ Note: As a best practice when accessing User Management Console on the machine where the Shared Services server is running, the URL to access the console should always use an IP address or a fully qualified machine name that includes the domain name. If the IP address is dynamic, use the fully qualified machine name.
51
b. On Windows, select Start > Programs > Hyperion > Foundation Services > User Management Console. If the User Management Console login page is displayed, Shared Services server is started successfully.
On Windows, select Start > Programs > Hyperion > Foundation Services > Stop Shared Services. The menu item indicates which application server the Shared Services server is deployed to.
UNIX:
<HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/SharedServices9/ bin/stopSharedServices9.sh
BEA WebLogic
Windows:
<HSS_HOME>\AppServer\InstalledApps\<AppServName>\<version>\SharedServices9\ stopSharedServices.bat
UNIX:
<HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/SharedServices9/ stopSharedServices.sh
Oracle
Windows:
<OracleInstallDir>\bin\emctl stop iasconsole <OracleInstallDir>\opmn\bin\opmnctl stopall
UNIX:
<OracleInstallDir>/bin/emctl stop iasconsole <OracleInstallDir>/opmn/bin/opmnctl stopall
Apache Tomcat
Windows:
<HSS_HOME>\AppServer\InstalledApps\<AppServName>\<version>\SharedServices9\ bin\stopSharedServices9.bat
UNIX:
<HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/SharedServices9/ bin/stopSharedServices9.sh
Note: <HSS_HOME> is the directory where Shared Services is installed; for example, c:\hyperion\SharedServices\9.2.
52
2 Find SHUTDOWN in the file and replace it with FORCESHUTDOWN. 3 Save and execute the file.
4 Save and close the file. 5 Start the Shared Services server on WebLogic. 6 Log on to the WebLogic Administration Console:
a. Open a browser and set the address to http://servername:portno/console where servername and portno are the server and port (specified during installation) on which the WebLogic server is running; for example, http://localhost:58080/console. b. Specify the username and password as follows:
53
8 In the right frame, click the Configuration tab and select the Keystores & SSL sub-tab. 9 Click the Change link for Keystore Configuration. 10 In Specify Keystore Type, for Keystores, select Demo Identity and Demo Trust (if not selected) and click
Continue.
Note: In this scenario, the Demo keystore files that come bundled with WebLogic are used.
11 On the Keystore & SSL tab, click Apply. 12 Restart Shared Services server on WebLogic.
HTTPS is enabled on port 7002. You can access Shared Services using the following URL:
https://servername:7002/interop
For example:
<session-param> <param-name>TimeoutSecs</param-name> <param-value>120</param-value> </session-param>
Reconfiguration
The Configuration Utility enables you to reconfigure Shared Services multiple times. Reconfiguration procedures are identical to the initial configuration procedures. Launch the Configuration Utility, select Shared Services, and repeat the procedures. Select the options that you want to change and follow the prompts to enter the required information.
54
Configuration Troubleshooting
Because the Configuration Utility separates configuration from product installation, the task of tracking and correcting configuration errors is simplified. The Configuration Utility logs configuration errors and warning messages to a log file, configtool.log, in a central location:
Configuration Troubleshooting
55
56
Chapter
6
In This Chapter
This chapter explains how to uninstall Shared Services and Hyperion Hub.
About Uninstalling Shared Services and Hyperion Hub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Uninstalling Shared Services and Hyperion Hub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
57
Windowsc:\Program Files\Hyperion\HyperionHub\7.0\uninstall\
uninstallHyperionHub7.0.exe
UNIX/home/username/Hyperion/hyperionhub/7.0/uninstall/
uninstallhyperionhub7.0.bin
Note: On Windows platforms, you can also uninstall from the Control Panel (Add/Remove Programs).
Windowsc:\Program Files\Hyperion\HyperionHub\7.0.1\uninstall\
uninstallHyperionHub7.0.exe
UNIX/home/username/Hyperion/hyperionhub/7.0.1/uninstall/
uninstallhyperionhub7.0.bin
58
Note: On Windows platforms, you can also uninstall from the Control Panel (Add/Remove Programs).
Windowsc:\Program Files\Hyperion\HyperionHub\7.2.x\uninstall\
uninstallHyperionHub7.2.exe
UNIX/home/username/Hyperion/hyperionhub/7.2.x/uninstall/
uninstallhyperionhub7.2.bin
Note: On Windows platforms, you can also uninstall from the Control Panel (Add/Remove Programs).
Windows
<HSS_HOME>\uninstall\uninstallHyperionSystemSharedServices.exe
UNIX
<HSS_HOME>/uninstall/uninstallHyperionSystemSharedServices.bin
where <HSS_HOME> is the directory where Shared Services is installed; for example, c:\hyperion\SharedServices\9.2.
Note: On Windows platforms, you can also uninstall from the Control Panel (Add/Remove Programs).
Caution! Uninstalling Japanese and Korean language Hyperion products using the Microsoft Windows
Add/Remove Program may cause an operating system crash. To avoid this potential problem when uninstalling, locate the uninstallHyperionSystemSharedServices.exe file (located in <HSS_HOME>\uninstall) and double-click the executable to perform the uninstallation manually.
59
60
Chapter
This chapter helps you to set up Hyperion applications to use external authentication and single sign-on. Using external authentication to manage user accounts on Hyperion applications provides two main benefits: The established corporate structure of user accounts is employed by Hyperion applications, thus reducing administrative overhead. External authentication provides for single sign-on to Hyperion applications, which eliminates the need for users to log on multiple times with multiple usernames and passwords.
In This Chapter
About External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 About Single Sign-On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 About Support for SiteMinder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 External Authentication and Single Sign-On Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
61
To use external authentication for Hyperion applications, your organization must have an authentication directory containing corporate user information. Additionally, you must modify the XML-based security configuration file associated with your product to specify correct information pertaining to your corporate authentication directory. The following types of authentication repositories are supported:
NTLM on Windows 2000 and Windows 2003 LDAP version 3 or higher MSAD on Windows 2000 and Windows 2003 SAP Enterprise Portal, SAP R/3, SAP BW
For information about external authentication concepts, see External Authentication and Single Sign-On Terminology on page 64.
62
As shown in the following figure, the token is passed among other Hyperion products and is used as needed to reauthenticate the user automatically when the user moves to another application. Single sign-on is effective in cases where one Hyperion product launches another. If a user launches a second product independently; for example, from the Start menua token cannot be passed between the products, and the user must reauthenticate.
Tokens are encrypted; however, additional security such as Secure Sockets Layer (SSL) protocol is recommended for prevention of replay attacks (a form of network attack in which a data transmission is maliciously or fraudulently repeated or delayed) or man in the middle attacks (an attack in which an attacker is able to read, insert, and modify messages between two parties without the parties knowing the link between them has been compromised). To enable single sign-on among multiple Hyperion applications that launch one another, you must use one XML configuration file that is shared by the multiple product installations. See Chapter 10, Configuring External Authentication for Shared Services. For information about key single sign-on concepts, see External Authentication and Single Sign-On Terminology on page 64.
63
The following security agents are tested and supported for single sign-on with Hyperion applications:
SiteMinder Policy Server 5.5 Service Pack 2 SiteMinder Web Agent 5.5 Service Pack 2
If your corporation implements SiteMinder to protect company Web resources, you can configure the security platform to require only that users authenticate through SiteMinder, after which they are not required to present credentials again when logging in to Hyperion applications. For information about configuring the securityAgent element in the XML configuration file, see Configuring SiteMinder Single Sign-On on page 96. For a sample deployment scenario illustrating single sign-on with SiteMinder, see Single SignOn with SiteMinder on page 120.
Configuration file
64
Chapter
Use Shared Services External Authentication Configuration Console to manage external authentication outside the context of a particular product or application. After you configure Shared Services, you can configure other Hyperion products that use external authentication by referencing the Shared Services configuration. For Shared Services functionality to be implemented for Hyperion products or applications, each product requires access to a Shared Services server running Shared Services server software and to a database dedicated to Shared Services. For database options, see Chapter 5, Configuring and Setting Up Shared Services.
In This Chapter
Workflow for Setting Up External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Preparing to Implement External Authentication and Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
65
66
3. If your corporation implemented SiteMinder to protect company Web resources, you can configure the security platform to enable single sign-on among Hyperion applications and SiteMinder. See Configuring SiteMinder Single Sign-On on page 96 and About Support for SiteMinder on page 63. 4. If you are implementing security using an NTLM provider and using UNIX on the computer where the Hyperion application software is installed, ensure Hyperion Remote Authentication Module is installed. 5. Download and install the Hyperion Remote Authentication Module from the Hyperion Download Center. See Using the Hyperion Remote Authentication Module on page 103. 6. After the Remote Authentication Module is installed, provide its URL as a value to the remoteServer element in the security platform XML configuration file. 7. If you want to enable authentication of users from multiple Windows domains, but you do not want to set up trust relationships among the domains, install the Hyperion Remote Authentication Module on a separate Windows server. Separate installation enables users of Hyperion applications running on one domain to log on to Hyperion applications on other domains. All domains involved must be running Hyperion applications that are configured to use one Hyperion Remote Authentication Module instance.
67
68
Chapter
9
In This Chapter
The directions in this chapter apply to administrators who want to enable one or more Hyperion applications to use external authentication of users in a Windows NT LAN Manager (NTLM) domain.
Setting Up User Rights for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 UNIX Application Support for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Multiple-Domain Support for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
69
Additionally, access rights are required for end users. The following access rights are required for external authentication to work with an NTLM provider:
Access this computer from the network (usually granted to Administrators). End users of Hyperion applications using external authentication require this right. Act as part of the operating system (normally not granted to anyone). The account used to run Hyperion application processes requires this right for external authentication to work. The logged on user should be a domain user. The user running the application or application server of the Hyperion product should be a domain user rather than a local Windows user.
See one of the following topics, depending on which operating system you use.
Setting Up User Rights on Windows 2000 on page 70 Setting Up User Rights on Windows 2003 on page 71
2 In the left frame of Local Security Settings, expand the folder named Local Policies. 3 Click the folder named User Rights Assignment, and, in the right area, double-click the policy named
Access this computer from the network.
The Local Security Policy Setting dialog box for the Access this computer from the network policy is displayed.
4 If the relevant user account has the policy checked, click Cancel and skip to step 9. 5 Click Add. 6 Select the name of the user or group needing the right. 7 Click Add. 8 Click OK.
70
9 In the right frame, double-click the policy named Act as part of the operating system.
The Local Security Policy Setting dialog box for the Act as part of the operating system policy is displayed.
10 If the relevant user account has the policy checked, click Cancel and skip the rest of this procedure. 11 Click Add. 12 Select the name of the user or group needing the right. 13 Click Add. 14 Click OK.
2 In the left frame of Local Security Settings, expand the folder named Local Policies. 3 Click the folder named User Rights Assignment, and, in the right area, double-click the policy named
Access this computer from the network.
The Access this computer from the network Properties dialog box is displayed.
4 If the relevant user account is listed as having this right, click Cancel and skip to step 9. 5 Click Add User or Group. 6 Enter the name of the user or group needing the right. 7 Click OK. 8 In Access this computer from the network Properties, click OK. 9 In the right frame of Local Security Settings, double-click the policy named Act as part of the operating
system.
The Act as part of the operating system Properties dialog box is displayed.
10 If the relevant user account is listed as having this right, click Cancel and skip the rest of this procedure. 11 Click Add User or Group. 12 Enter the name of the user or group needing the right. 13 Click OK. 14 In Act as part of the operating system Properties, click OK. 15 Close Local Security Settings.
71
UNIX application users who must log on using a Windows domain Windows users who must log on using multiple Windows domains, although no trust relationships are set up
72
Chapter
10
This chapter tells administrators how to configure Shared Services to support authentication of users stored in LDAP, MSAD, Windows NTLM, or SAP external authentication providers. Configuration also enables single sign-on for accessing multiple Hyperion applications after logging on only once using external credentials.
In This Chapter
How Configuration Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Launching the External Authentication Configuration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Adding or Editing an LDAP or MSAD Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Adding or Editing an NT LAN Manager Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Working with an SAP Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Setting the Search Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Setting the Token Time-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Configuring the Preferred Logging Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Enabling the Security Agent for Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Additional Configuration Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Deleting a Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Notes About User and Group Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Configuring SiteMinder Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Using Secure Sockets Layer (SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
73
If you are using an earlier release of a Hyperion product with this release of Shared Services, you must have two versions of the external authentication configuration file (CSS.xml) on your system:
The current Shared Services configuration file installed with this release of Shared Services The Hyperion product configuration file installed with the earlier release of your product
Note: Anytime you update the external authentication configuration, you must restart Shared Services AND all Hyperion products referencing the Shared Services external authentication configuration (including restarting Hyperion product services and servlets).
2 Launch the External Authentication Configuration Console by selecting Start > Programs > Hyperion >
Foundation Services > External Authentication Configuration Console.
The External Authentication Configuration Console is a Web-browser interface to Shared Services, set to the following address:
http://hostname:portno/interop/framework/login
where hostname and portno are the host and port number on which Shared Services is running, for example,
http://localhost:58080/interop/framework/login
74
Naming the Provider Configuration (Required) on page 75 Specifying Hostname, Port, and Base DN (Required) on page 76 Setting a Read-Only User Account or Selecting an Anonymous Bind (Required) on page 76 Specifying the Location of Users (Optional) on page 77 Specifying the Location of Groups (Optional) on page 77 Specifying the Provider Trust Setting (Optional) on page 77 Setting Maximum Result-Set Size (Optional) on page 79 Setting Authorization Type (Optional) on page 79 Completing the Configuration (Required) on page 79
To edit a provider, click Edit instead of Add, and complete the relevant tasks in the preceding list.
75
2 In Port, enter the port number used by the LDAP or MSAD repository; for example, 58089. 3 In Base DN, enter the directory information tree (DIT) section of an LDAP or MSAD URL.
You must include the domainComponent attributes (DCs); for example, DC=company,DC=com.
In User DN, Password, and Confirm Password, enter the information pertaining to a user account having at least read access to the directory information tree (DIT) specified in the Base DN field (for example, dc=company, dc=com). This enables a Hyperion product to get user information from the LDAP or MSAD directory when a user attempts to log on to the Hyperion product using external credentials.
76
If the administrator configures the directories to provide anonymous access to the directory information tree, select Anonymous bind.
77
5. The single sign-on mechanism extracts the identity from the token and validates it exists within the authentication providers. 6. The single sign-on mechanism confirms the user exists within the authentication providers. 7. The single sign-on mechanism returns the identity string to Hyperion application 2 to complete authentication. When the trust setting is false in one sign-on scenario, additional steps are taken. Steps 4-6 are unique to untrusted providers. 1. Hyperion application 2 receives a token from another Hyperion application 1 that launches it. The password is part of the token. 2. Hyperion application 2 sends the token to the single sign-on mechanism. 3. The single sign-on mechanism validates the token is constructed properly. (Token decryption and read are successful.) 4. The single sign-on mechanism validates the token has not timed out.
Note: The single sign-on token carries the time the token was created and times out based on the settings provided in the external authentication configuration file. Therefore, ensure the system clock is set correctly.
5. The single sign-on mechanism extracts the identity and password from the token. 6. The single sign-on mechanism validates the username and the password against the authentication providers indicated in the configuration. 7. The single sign-on mechanism receives an approval or denial to authenticate from the authentication provider. 8. The single sign-on mechanism returns the identity string to Hyperion application 2 to complete authentication.
If the trust setting is true, a password is not present or required in the token generated upon user authentication. The user still must log on with a username and password, but the password is not stored in the token.
Note: For an explanation of tokens, see About External Authentication on page 62.
If the trust setting is false, a password is part of the token and is required for this NTLM provider.
Note: If your corporation uses a security agent such as Netegrity SiteMinder to protect company Web resources, the provider must be trusted. See Configuring SiteMinder Single Sign-On on page 96
78
2 Click Save or continue to Setting Maximum Result-Set Size (Optional) on page 79.
To set the maximum result-set size for an LDAP or Active Directory provider:
1 In Maximum Size, enter the maximum number of entries to be returned in a query:
If Maximum Size is left empty, the default value is 100. If Maximum Size is set to 0, the result-set size is unlimited. This may not be advisable, because on very large query results, it might consume too much memory.
To set the authorization type, in Authorization Type, leave the default value of Simple, or
select SSL enabled if you are implementing Secure Sockets Layer. See Using Secure Sockets Layer (SSL) on page 97.
79
Naming the Provider Configuration (Required) on page 80 Specifying the Domain (Optional) on page 81 Specifying a Remote Authentication Module Location (Optional) on page 81 Specifying the Provider Trust Setting (Optional) on page 82 Setting Maximum Result-Set Size (Optional) on page 82 Completing the Configuration (Required) on page 83
80
For example, if the local computer and the domain of the local computer have an Administrators group and the domain element of the NTLM server is not specified in the external authentication configuration file, all methods that search for the Administrators group return only one. The returned group is the group on the local computer. Hyperion recommends you specify a domain element in the external authentication configuration file. If a user ID exists with one password in an NTLM repository and another password in another repository (LDAP or MSAD), and NTLM is earlier in the search order, authenticating the LDAP or MSAD user ID can result in a lock out of the NTLM user account. To address this situation, Hyperion recommends you use the provider hint while authenticating a user, if the authentication repository is known.
UNIX application users who must log on using a Windows domain. See UNIX Application Support for NT LAN Manager on page 72. Windows users who must log on using multiple Windows domains although no trust relationships are set up. See Multiple-Domain Support for NT LAN Manager on page 72.
81
If the trust setting is true, a password is not present or required in the token generated upon user authentication. The user still must log on with a user name and password, but the password is not stored in the token. If the trust setting is false, a password is part of the token, and this is required for this NTLM provider.
Note: If your corporation uses a security agent such as Netegrity SiteMinder to protect company Web resources, the provider must be trusted. See Configuring SiteMinder Single Sign-On on page 96.
If Maximum Size is left empty, the default value is 100. If Maximum Size is set to 0, no results are returned.
Note: The preceding statement is true only for NT LAN Manager. When you use LDAP or Active Directory (MSAD), a maximum size of 0 means the result-set size is unlimited.
82
83
If a corporate directory is used by the SAP system as a primary store for user data, Shared Services can enable SSO between Hyperion applications and SAP systems even if an SAP provider is not configured. This requires that the corporate directory used by the SAP system be:
supported by Shared Services (see Chapter 3, Planning the Shared Services Installation) included in the search order defined in the provider configuration
In this scenario, Hyperion applications must receive the SAP logon ticket to enable SSO with SAP.
Prerequisites
All SAP systems within the SAP landscape must be set up for single sign-on with the SAP login ticket. User IDs must be normalized across the SAP landscape so that a user ID in one SAP system refers to the same user across all SAP systems. See the SAP documentation for more information. Copy/download the SAP JCo binaries (.dll files for Windows and shared libraries for UNIX) into %HYPERION_HOME%/common/SAP/bin directory. For example: /vol1/Hyperion/common/SAP/bin (UNIX) C:\Hyperion\common\SAP\bin (Windows). These binaries are available in your SAP distribution. You may also download them from the SAP web site. Copy/download the SAP JCo archives (.jar files) into %HYPERION_HOME%/common/SAP/lib directory. For example: /vol1/Hyperion/common/SAP/lib (UNIX) C:\Hyperion\common\SAP\lib (Windows). These binaries are available in your SAP distribution. You may also download them from the SAP web site. Copy/download the following SAP libraries into %HYPERION_HOME%/common/SAP/lib directory. For example, /vol1/Hyperion/common/SAP/lib (UNIX) C:\Hyperion\common\SAP\lib (Windows). These libraries are required to verify the SAP SSO login ticket provided to Hyperion applications application. You can extract these libraries from the file system of any J2EE Engine 6.30 or higher or from the Enterprise Portal EP60 SP2 or higher by searching through the SDA files containing the libraries. Required only if Hyperion applications are plugged into SAP Enterprise Portal.
com.sap.security.core.jar com.sap.security.api.jar sapjco.jar sap.logging.jar iaik_jce.jar iaik_jce_export.jar (if using the export version of the IAIK-JCE libraries)
Execute the explodejar.bat (Windows) or explodejar.sh (UNIX) script file available in %HYPERION_HOME%/common/SAP/lib directory to extract the contents of the SAP libraries jar files.
84
SAP Provider Parameters Description A unique configuration name for the SAP provider. Used to identify the SAP provider in situations where multiple SAP providers are defined in Shared Services. The host name or IP address of the machine where the SAP Server is running. The client number of the SAP system to which you want to connect. The system number (for example, 00) of the SAP System to which you want to connect. The SAP user ID that Shared Services should use to access the SAP provider. This user must have the access privileges to use Remote Function Calls (RFC) to connect to SAP and access user, activity groups, and their relationship data. The SAP provider password of the user identified in the User ID field. The maximum number of entries that a query to the SAP provider may return. Default is 100. JCo connection pool size. A unique name for the connection pool that should be used to establish a link between Shared Services and the SAP provider. Language for messages, for example error messages, from the SAP System. By default, this is read from the system locale of the computer hosting Shared Services server. The location of SAP X509 certificate. This certificate is used to parse the SAP login ticket and to extract the user ID needed to support SSO. Required only if Hyperion applications are plugged into SAP Enterprise Portal.
Field/Checkbox Name SAP Server Name Client Number System Number User ID
Password Max Entries Pool Size Pool Name Language Location of SAP Digital Certificate
85
Table 4
SAP Provider Parameters Description Select this checkbox if the secure socket layer (SSL) is to be used to communicate between Shared Services and the SAP provider. Select this checkbox if authentication by SAP ticket is required.
5 Click Save.
Provision SAP users/activity groups by assigning them Hyperion roles Add SAP users/activity groups to Hyperion native groups in the Shared Services directory to facilitate administration
Refer to the Shared Services User Management Guide for detailed information on provisioning users/activity groups.
Click Add to place a provider in the search order. If a provider is left out of the search order, it cannot be used for authentication. Click Move Up to give the provider a higher priority in the search order. The first priority is 1. Hyperion recommends you place the provider containing the most users of Hyperion applications first in the search order.
86
Click Move Down to give the provider a lower priority in the search order. The last priority is represented by the highest number. Click Remove to remove a provider from the search order. At least one provider must remain in the search order. The providers you remove from the search order are not included as potential authentication sources.
2 Click Save.
Shared Services writes your configuration changes to the external authentication configuration file (CSS.xml).
3 Restart Shared Services AND Hyperion products referencing the Shared Services external authentication
configuration (including restarting Hyperion product services and servlets).
2 Click Save.
Shared Services writes your configuration changes to the external authentication configuration file (CSS.xml).
3 Restart Shared Services AND Hyperion products referencing the Shared Services external authentication
configuration (including restarting Hyperion product services and servlets).
To configure the error level setting for applications supporting external authentication and
single sign-on:
1 In the Additional Configuration section of the External Authentication Configuration Console, locate
Logging Level.
2 In Logging Level, select the level of reporting Hyperion applications are to use when logging external
authentication activities.
87
In the following list of values, each level includes the levels below it:
DEBUG includes extensive information useful for debugging. INFO includes information on the status of operations and requests. WARN includes cautionary information, if relevant, for some operations and requests. ERROR includes only statements pertaining to failed operations and requests. FATAL includes only information about errors resulting in a disconnection.
The name of the log file is SharedServices_Security_Client.log, and it is stored in the temp directory of the operating system.
3 Click Save.
Shared Services writes your configuration changes to the external authentication configuration file (CSS.xml).
4 Restart Shared Services AND Hyperion products referencing the Shared Services external authentication
configuration (including restarting Hyperion product services and servlets).
2 Click Save.
Shared Services writes your configuration changes to the external authentication configuration file (CSS.xml).
3 Restart Shared Services AND Hyperion products referencing the Shared Services external authentication
configuration (including restarting Hyperion product services and servlets).
88
The CSS.xml file is located at <HSS_HOME>\AppServer\InstallableApps\common where <HSS_HOME> represents the directory where Shared Services was installed.
Caution! Be sure to save your changes to the CSS.xml file before closing the text editor and before using
Before continuing, it is recommended you examine the structure of the sample CSS.xml files in Appendix F, Sample Configuration XML Files. This section contains the following topics:
Configuring the User Login Attribute (Optional, LDAP/MSAD Only) on page 89 Configuring the User First-Name Attribute (Optional, LDAP/MSAD Only) on page 90 Configuring the User Surname Attribute (Optional, LDAP/MSAD Only) on page 91 Configuring the User E-mail Attribute (Optional, LDAP/MSAD Only) on page 91 Adding Custom User Object-Class Entries (Optional, LDAP/MSAD Only) on page 92 Configuring the Group Name Attribute (Optional, LDAP/MSAD Only) on page 93 Adding Custom Group Object-Class Entries (Optional, LDAP/MSAD Only) on page 93 Adding Referral Support (Optional, MSAD Only) on page 94
89
The attribute may be part of the DN, such as uid or cn, or a customized attribute, such as employee_ID, or another attribute commonly used in the directory nodes of users. If the <loginAttribute> section is deleted, the default value is uid, as shown in this sample:
<loginAttribute>uid</loginAttribute>
The sample is correct if all user names are identified by uid = UserName.
3 Save the CSS.xml file. 4 Restart Shared Services AND Hyperion products referencing the Shared Services external authentication
configuration (including restarting Hyperion product services and servlets).
2 Between the <fnAttribute></fnAttribute> tags, enter the value of an attribute associated with
first-name entries in the directory. If the fnAttribute element is not used, the default value for the first-name attribute is givenname.
3 Save the CSS.xml file. 4 Restart Shared Services AND Hyperion products referencing the Shared Services external authentication
configuration (including restarting Hyperion product services and servlets).
90
2 Between the <snAttribute></snAttribute> tags, enter the value of an attribute associated with
last-name entries in the LDAP directory. If the surname attribute is not used, the default value is sn.
3 Save the CSS.xml file. 4 Restart Shared Services AND Hyperion products referencing the Shared Services external authentication
configuration (including restarting Hyperion product services and servlets).
shown in bold:
<spi> <provider> <ldap name="ldapserver"> ... <user> <emailAttribute></emailAttribute> </user> ... </ldap> </provider> <spi>
91
3 Save the CSS.xml file. 4 Restart Shared Services AND Hyperion products referencing the Shared Services external authentication
configuration (including restarting Hyperion product services and servlets).
3 Save the CSS.xml file. 4 Restart Shared Services AND Hyperion products referencing the Shared Services external authentication
configuration (including restarting Hyperion product services and servlets).
92
For example, following configuration means the group names containing the relevant user entries are using the Common Name attribute:
<nameAttribute>cn</nameAttribute>
3 Save the CSS.xml file. 4 Restart Shared Services AND Hyperion products referencing the Shared Services external authentication
configuration (including restarting Hyperion product services and servlets).
93
<group> ... <objectclass> <entry></entry> </objectclass> ... </group> ... </ldap> </provider> <spi>
3 Save the CSS.xml file. 4 Restart Shared Services AND Hyperion products referencing the Shared Services external authentication
configuration (including restarting Hyperion product services and servlets).
The <property></property> element enables the use of referrals in MSAD. MSAD referral entries are ignored unless this setting is added to the configuration file.
94
<spi> <provider> <msad name="msadServer"> ... <user> ... </user> <group> ... </group> <property> <key>com.hyperion.css.followReferral</key> <value>true</value> </property> </msad> </provider> <spi>
2 Save the CSS.xml file. 3 Restart Shared Services AND Hyperion products referencing the Shared Services external authentication
configuration (including restarting Hyperion product services and servlets).
Deleting a Provider
Deleting a provider permanently removes the provider from the configuration.
Note: Remove removes the provider from the search order but not from the configuration.
To delete a provider:
1 Launch the External Authentication Configuration Console. 2 Select a provider and click Delete.
If a user name or group name contains @, the characters following @ are considered to be the name of a provider registered in the search order. If such a provider name does not exist, an error message is returned. Additionally, the asterisk character (*) cannot be used in LDAP or MSAD user/group names
95
In the WebAgent.conf file for each web server, set the cookiedomain property, as follows:
Cookiedomain=.domainName.com For example: Cookiedomain=.hyperion.com For more details, see the Configuring Web Agents chapter in the Netegrity SiteMinder Agent Guide. Because Shared Services uses basic authentication to protect its content, the web server that intercepts requests for Shared Services should enable basic authentication to support single sign-on with SiteMinder.
96
Caution! Do not edit the CSS.xml file until after you finish using Shared Services External
Authentication Provider Configuration Console for the preliminary configuration. Additionally, Hyperion recommends backing up the CSS.xml file before editing it directly.
Deployment Example
For a sample deployment scenario, see Single Sign-On with SiteMinder on page 120.
97
Java Virtual Machine for your application. When SSL is used as the secure medium to connect to the directory server, the LDAP service provider of the security platform uses Java Secure Socket Extension (JSSE) software for its SSL support.
On the directory server, ensure a certificate is installed and available. On the Java Virtual Machine that runs your application, create a certificate database if one does not exist. On the Java Virtual Machine that runs your application, trust the Certificate Authority (CA) issuing the server certificate.
Note: MSAD sp2 and earlier releases of Hyperion applications are known to have connectivity issues over SSL. Information on resolving such issues is available at this Microsoft Web site: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320711
For information about setting up SSL, see the documentation for your directory server or application server and JRE.
98
Consult the OpenLDAP Administrator's Guide for a detailed and up-to-date discussion of TLS/SSL use in OpenLDAP Software.
Create a keystore file on the machine where the Shared Services application server is running. See Creating a Keystore File on page 99. Map the keystore file to the Tomcat server.xml file. See Configuring the Tomcat server.xml File on page 100. Modify the hub.properties file to use HTTPS. See Modifying the hub.properties File on page 101.
Windows:
HYPERION_HOME\common\JDK\Sun\1.4.2\bin
UNIX:
HYPERION_HOME/common/JDK/Sun/1.4.2/bin
b. Type:
keytool -genkey -alias tomcat -keyalg RSA
2 Respond to the prompts as appropriate; for first and last name, enter the computer (host) name on which
the Shared Services application server is running.
By default, the .keystore file is stored in the Windows user home directory or the UNIX user $HOME directory.
Windows:
HYPERION_HOME\common\JDK\Sun\1.4.2\bin
UNIX:
HYPERION_HOME/common/JDK/Sun/1.4.2/bin
b. Type:
Windows:
keytool -export -keystore WINDOWS_USER_HOME_DIRECTORY\ .keystore -file server.cert -alias tomcat
99
UNIX:
keytool -export -keystore USER_$HOME_DIRECTORY/.keystore -file server.cert -alias tomcat
Windows:
HYPERION_HOME\common\JDK\Sun\1.4.2\bin
UNIX:
HYPERION_HOME/common/JDK/Sun/1.4.2/bin
b. Type:
Windows:
keytool -import -keystore HYPERION_HOME\common\JDK\Sun\ 1.4.2\jre\lib\security\cacerts -file server.cert -alias tomcat
UNIX:
keytool -import -keystore HYPERION_HOME/common/JDK/Sun/ 1.4.2/jre/lib/security/cacerts -file server.cert -alias tomcat
Windows:
HYPERION_HOME\common\appServers\Tomcat\5.0.28\conf\server.xml
UNIX:
HYPERION_HOME/common/appServers/Tomcat/5.0.28/conf/server.xml
to
Windows:
HSS_HOME\AppServer\InstalledApps\Tomcat\5.0.28\ SharedServices9\conf\server.xml
UNIX:
HSS_HOME/AppServer/InstalledApps/Tomcat/5.0.28/ SharedServices9/conf/server.xml
where HSS_HOME is the location where Shared Services is installed, for example:
c:\Hyperion\SharedServices\9.2 on Windows or /home/username/Hyperion/SharedServices/9.2 on UNIX
100
HSS_HOME\AppServer\InstalledApps\Tomcat\5.0.28\ SharedServices9\conf\server.xml
The SSL Connector entry in the file you copied from should be left commented.
3 Add the keystoreFile attribute in the <Connector .> tag and set the keystoreFile value to the location
of the .keystore file you created earlier.
UNIX: Example for Tomcat 5.0.28, pointing to the .keystore file located in the root directory :
<! -- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> <Connector port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/.keystore"/>
Windows:
HSS_HOME\AppServer\InstalledApps\Tomcat\5.0.28
UNIX:
HSS_HOME/AppServer/InstalledApps/Tomcat/5.0.28
where HSS_HOME is the location where Shared Services is installed, for example:
c:\Hyperion\SharedServices\9.2 on Windows or /home/username/Hyperion/SharedServices/9.2 on UNIX
101
102
Chapter
11
This chapter explains the purpose of the Hyperion Remote Authentication Module and provides instructions for setting it up and starting it. Hyperion Remote Authentication Module is an optional component for external authentication.
In This Chapter
About the Hyperion Remote Authentication Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Installing the Remote Authentication Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Configuring and Starting the Remote Authentication Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
103
UNIX application users who must log on using a Windows NTLM domain Windows users who must log on using multiple Windows NTLM domains when no trust relationships are set up
Note: Earlier releases of Hyperion applications employing Hyperion Remote Authentication Module 7.0 return an incorrect list of users and groups if the domain element is specified in the configuration file. To avoid this situation, use only Hyperion Remote Authentication Module 7.2.x or later with 7.2.x or later of Hyperion Hub or Hyperion Shared Services. For earlier releases of Hyperion Hub, continue to use Remote Authentication Module 7.0.
The configuration file resides on the application server, as do the Hyperion application binaries. The NTLM support library file (css-2_6_x.dll) is also required for NTLM connectivity. You must configure for external authentication as described in Chapter 10, Configuring External Authentication for Shared Services. The NTLM Primary Domain Controller can be on a Windows 2000 server. The Hyperion Remote Authentication Module should be on a Windows 2000 server. Combining the Remote Authentication Module with the NTLM Primary Domain Controller is not recommended. The Remote Authentication Module computer needs to be in the same domain as the NTLM Primary Domain Controller.
104
Without the Hyperion Remote Authentication Module, the only way to use multiple domains for a Hyperion product is to establish trust relationships, as shown in the following figure:
105
6 Provide a value for the HYPERION_HOME environment variable. Hyperion recommends you accept the
default location.
7 Enter the host name and port number for the computer hosting the Hyperion Remote Authentication
Module. The default port number is 58000.
8 If you are using Secure Sockets Layer with your NTLM deployment, select the option to support SSL.
For SSL configuration, you must provide a value for the <authProtocol></authProtocol> element in the security platform configuration XML file shipped with Shared Services (or alternately, the file shipped with an individual Hyperion product). See Setting Authorization Type (Optional) on page 79.
Note: Hyperion Remote Authentication Module does not support SSL connections on AIX.
9 Click Next. 10 Review the summary of your installation choices, and click Next to begin the installation. 11 Click Finish to complete the installation.
1 On the computer hosting the Hyperion products that connect to Hyperion Remote Authentication Module,
modify the values in the <location> tags in the <remoteServer> section of the configuration file, to tell the application where to find the Remote Authentication Module.
You must provide a value for the <remoteServer></remoteServer> element in the external authentication configuration XML file shipped with Shared Services (or alternately, with each Hyperion product).
106
2 Run the remote authentication module by selecting Start > Programs > Hyperion > Foundation Services >
Hyperion Remote Authentication Module > Run Authentication Server.
107
108
Chapter
12
In This Chapter
Single LDAP Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Single Microsoft Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 UNIX Application and Single NTLM Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Windows Application and Single NTLM Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 UNIX Application Against LDAP MSAD, and NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 , Windows Application Against LDAP, MSAD, and NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Multiple MSAD Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Multiple LDAP Directory Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Multiple NTLM Domains with Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Multiple Untrusted NTLM Domains Connected with Hyperion Remote Authentication Module . . . . . . . . . . . . . . . . . 119 Single Sign-On with SiteMinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Deployment References from LDAP Product Vendors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
109
The configuration file resides on the Shared Services server. The configuration for external authentication should be done from the Shared Services External Authentication Configuration Console, as described in Chapter 10, Configuring External Authentication for Shared Services. The application server can be on UNIX, Windows 2000 server, or Windows 2003 server. The directory server can be on UNIX, Windows 2000 server, or Windows 2003 server. A secure SSL connection can be used. The directory server and the application server can be combined into one server. In such a scenario, the application binaries and the directory server binaries reside on one server. In the single LDAP directory scenario:
All users must use one prefix, such as cn or uid. All groups must use one prefix, such as cn or ou. Referrals are not supported. Users and groups should exist under nodes, such as ou=People and ou=Groups, for optimal data-retrieval performance.
110
The configuration file resides on the Shared Services server. The configuration for external authentication should be done from the Shared Services External Authentication Provider Configuration Console, as described in Chapter 10, Configuring External Authentication for Shared Services. The application server can be on UNIX, Windows 2000 server, or Windows 2003 server. The directory server must be on a Windows 2000 or 2003 server. A secure SSL connection can be used. The directory server and the application server can be combined into one server. In this scenario, the application binaries and the directory server binaries reside on one server. In the single MSAD scenario:
All users must use one prefix, such as cn or uid. All groups must use one prefix, such as cn or ou. Referrals are supported, if configuration enables it as described in Adding Referral Support (Optional, MSAD Only) on page 94. Users and groups should exist under nodes, such as cn=Users, for optimal data-retrieval performance.
111
Note: The Hyperion Remote Authentication Module enables communication between NTLM and a UNIX-based application. Install the Remote Authentication Module from the Hyperion Download Center.
The configuration file resides on the Shared Services server. The configuration for external authentication should be done from the Shared Services External Authentication Provider Configuration Console, as described in Chapter 10, Configuring External Authentication for Shared Services. The NTLM support library file (DLL) file is required for the NTLM connectivity. The application server is assumed to be on UNIX, requiring the Hyperion Remote Authentication Module to enable NTLM authentication. The NTLM Primary Domain Controller server can be on a Windows 2000 server or a Windows 2003 server. The Hyperion Remote Authentication Module should be on a Windows 2000 server or a Windows 2003 server. Combining the Remote Authentication Module with the NTLM Primary Domain Controller server is not recommended. The Remote Authentication Module computer must be in the same domain as the NTLM Primary Domain Controller server.
112
The security platform can communicate over a secure medium such as Secure Sockets Layer (SSL) with the Hyperion Remote Authentication Module. If you must use SSL, select the SSL option when installing the Hyperion Remote Authentication Module. For complete installation instructions, see Chapter 11, Using the Hyperion Remote Authentication Module.
The configuration file resides on the Shared Services server. The configuration for external authentication should be done from the Shared Services External Authentication Provider Configuration Console, as described in Chapter 10, Configuring External Authentication for Shared Services. The NTLM support library file (DLL) file is required for the NTLM connectivity. The NTLM Primary Domain Controller server can be on a Windows 2000 server or a Windows 2003 server.
113
Note: The Hyperion Remote Authentication Module enables communication between NTLM and a UNIX-based application. Install the Remote Authentication Module from the Hyperion Download Center. For installation instructions, see Chapter 11, Using the Hyperion Remote Authentication Module.
114
The configuration file resides on the Shared Services server. The configuration for external authentication should be done from the Shared Services External Authentication Provider Configuration Console, as described in Chapter 10, Configuring External Authentication for Shared Services. The NTLM support library file (DLL) file is required for the NTLM connectivity. The configuration for external authentication should be done as described in the rest of this document. The NTLM Primary Domain Controller can be on a Windows 2000 server or a Windows 2003 server. For LDAP-compatible directories, a secure SSL connection can be used. The configuration of the search order property in the XML configuration file determines the order in which each directory store receives requests for information from the application. For example, the first instance of a requested user found while going through the search order is the instance used by the external authentication mechanism to retrieve and return information about the user to the application. Therefore, although three directories can host user information, it is recommended user information not be duplicated across the directories. Duplication can lead to the incorrect user object being authenticated. For information about configuring the search order, see Setting the Search Order on page 86.
115
The configuration file resides on the Shared Services server. The configuration for external authentication should be done from the Shared Services External Authentication Provider Configuration Console, as described in Chapter 10, Configuring External Authentication for Shared Services. To enable the application server to enable authentication from the directory servers shown in the preceeding figure, the directory servers must be indicated in the search order. The most frequently used directory should be indicated first in the search order. For information about configuring the search order, see Setting the Search Order on page 86. A secure SSL connection can be used.
116
The configuration file resides on the Shared Services server. The configuration for external authentication should be done from the Shared Services External Authentication Provider Configuration Console, as described in Chapter 10, Configuring External Authentication for Shared Services. To enable the application server to enable authentication from the directory servers shown the preceeding figure, the directory servers must be indicated in the search order. The most frequently used directory should be indicated first in the search order. For information about configuring the search order, see Setting the Search Order on page 86. A secure SSL connection can be used.
117
The configuration file resides on the Shared Services server. The configuration for external authentication should be done from the Shared Services External Authentication Provider Configuration Console, as described in Chapter 10, Configuring External Authentication for Shared Services. The NTLM support library file (DLL) file is required for the NTLM connectivity. The configuration for external authentication should be done as described in the rest of this document. The NTLM Primary Domain Controllers can be on Windows 2000 or Windows 2003 servers.
118
Multiple Untrusted NTLM Domains Connected with Hyperion Remote Authentication Module
When there are multiple Windows NTLM domains holding user authentication information, an additional solution is to link the domains using the Hyperion Remote Authentication Module (compare to the scenario described in Multiple NTLM Domains with Trust Relationships on page 118). This scenario eliminates the necessity of establishing trust relationships among the domains, as shown in the following figure:
The Hyperion Remote Authentication Module gives users of Hyperion applications on Windows the ability to log on using multiple domains, without the need for the administrator to create trust relationships among the domains. In the preceeding figure, Windows users can log on using domain D2 in addition to the more commonly used domain D1, because the Hyperion Remote Authentication Module is running, giving access to domain D2. Note that D1 does not trust D2. The configuration file resides on the Shared Services server. The configuration for external authentication should be done from the Shared Services External Authentication Provider Configuration Console as described in Chapter 10, Configuring External Authentication for Shared Services. The NTLM support library file (DLL) file is required for the NTLM connectivity. The NTLM Primary Domain Controllers can be on Windows 2000 or Windows 2003 servers. The security platform can communicate over a secure medium such as Secure Sockets Layer (SSL) with the Hyperion Remote Authentication Module. If you must use SSL, select the SSL option when installing the Hyperion Remote Authentication Module. For complete installation instructions, see Chapter 11, Using the Hyperion Remote Authentication Module.
Multiple Untrusted NTLM Domains Connected with Hyperion Remote Authentication Module
119
The following figure illustrates a scenario enabling single sign-on with SiteMinder and a Hyperion application:
The Hyperion application trusts the authentication and authorization information sent by SiteMinder with regards to the protected resources on the directory server. Therefore, the Hyperion security platform supports Tier 1 integration with SiteMinder. The Web agent is installed on a Web server that intercepts requests for the Hyperion applications Web resources, such as JSP, ASP, or HTML files on the application server. If these Web resources are protected, the Web agent issues a challenge for unauthenticated users. When the user is authenticated, the policy server adds to the HTTP headers another header, named HYPLOGIN, whose value is the login name of the authenticated user. Thereafter, the HTTP
120
request is passed on to the Web resources of the Hyperion application, and the login name is extracted from the headers. For more details on configuring the header HYPLOGIN and populating it, see Configuring SiteMinder Single Sign-On on page 96.
121
122
APPENDIX
A
In This Chapter
Location References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Basic Deployment Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Detailed Deployment Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Modifying Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
123
Location References
The procedures in this section use the following location references to refer to the directories on your system:
<WAS_HOME> is the installation directory of the WebSphere server; for example, C:\IBM \WebSphere\AppServer (Windows) or /opt/websphere (UNIX). <HSS_HOME> is the directory in which you installed Shared Services. <HYPERION_HOME> is the directory you specified during the Hyperion product installation.
Note: Unless noted specifically in this chapter, forward slashes in directory paths apply to both Windows and UNIX.
Prerequisites
Complete these tasks before beginning:
Install WebSphere application server and ensure it is running (see the WebSphere documentation). In WebSphere, create a profile and a server. Install Shared Services to the same computer as the application server (see Chapter 4, Installing and Upgrading Shared Services).
Note: Shared Services cannot be installed to directories with names containing spaces; for example, the Program Files directory.
After installation, run Hyperion Configuration Utility to configure Shared Services. Select the database configuration and application server deployment tasks. Provide the database information, and then select the manual deployment option on the Application Server selection panel. Selecting the manual deployment option copies the necessary files to:
<HSS_HOME>/AppServer/InstalledApps/WebSphere/5.1 (for WebSphere 5.1) <HSS_HOME>/AppServer/InstalledApps/other (for WebSphere 6.1)
124
HYPERION_HOME: Set the value to the <HYPERION_HOME> directory you specified during the Hyperion product installation. HSS_HOME: Set the value to the <HSS_HOME> directory you specified during the Shared Services installation.
WebSphere 5.1.1.7
Windows:
${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1 ${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\HubProductBean.jar ${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\commonscollections-3.1.jar ${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\commons-dbcp.jar ${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\commons-pool.jar ${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\hyjdbc.jar ${HYPERION_HOME}\common\XML\JDOM\0.8.0\jdom.jar ${HYPERION_HOME}\common\JDBC\DataDirect\3.6\lib ${HYPERION_HOME}\common\SAP\lib
On Windows, add the following path to the Native Library Path field:
<HYPERION_HOME>\common\CSS\9.2.1.0\bin
UNIX:
${HSS_HOME}/AppServer/InstalledApps/WebSphere/5.1 ${HSS_HOME}/AppServer/InstalledApps/WebSphere/HubProductBean.jar ${HSS_HOME}/AppServer/InstalledApps/WebSphere/commons-collections3.1.jar ${HSS_HOME}/AppServer/InstalledApps/WebSphere/commons-dbcp.jar ${HSS_HOME}/AppServer/InstalledApps/WebSphere/commons-pool.jar ${HSS_HOME}/AppServer/InstalledApps/WebSphere/hyjdbc.jar ${HYPERION_HOME}/common/XML/JDOM/0.8.0/jdom.jar ${HYPERION_HOME}/common/JDBC/DataDirect/3.6/lib ${HYPERION_HOME}/common/SAP/lib
WebSphere 6.1
Windows:
${HSS_HOME}\AppServer\InstalledApps\other
125
On Windows, add the following path to the Native Library Path field:
<HYPERION_HOME>\common\CSS\9.2.1.0\bin
UNIX:
${HSS_HOME}/AppServer/InstalledApps/other ${HSS_HOME}/AppServer/InstallableApps/other/HubProductBean.jar ${HYPERION_HOME}/common/JDBC/DataDirect/3.6/lib/hyjdbc.jar ${HSS_HOME}/AppServer/InstalledApps/other/commons-collections3.1.jar ${HSS_HOME}/AppServer/InstalledApps/other/commons-dbcp.jar ${HSS_HOME}/AppServer/InstalledApps/other/commons-pool.jar ${HYPERION_HOME}/common/XML/JDOM/0.8.0/jdom.jar ${HYPERION_HOME}/common/JDBC/DataDirect/3.6/lib ${HYPERION_HOME}/common/SAP/lib
On Windows, add the following path to the Native Library Path field:
<HYPERION_HOME>\common\CSS\9.2.1.0\bin
A port name (for example, HSS) The host name (you can enter *) or IP address for that port The port number under which Shared Services is going to run
WebSphere 5.1)
126
For servername and portno, enter the server and port on which WebSphere is running. The default location is http://localhost:9090/ibm/console.
HYPERION_HOME: Set the value to the <HYPERION_HOME> directory you specified during installation.
127
HSS_HOME: Set the value to the <HSS_HOME> directory you specified during installation.
Libraries (Windows):
${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1 ${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\HubProductBean. jar ${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\commonscollections-3.1.jar ${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\commonsdbcp.jar ${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\commonspool.jar ${HSS_HOME}\AppServer\InstalledApps\WebSphere\5.1\hyjdbc.jar ${HYPERION_HOME}\common\XML\JDOM\0.8.0\jdom.jar ${HYPERION_HOME}\common\JDBC\DataDirect\3.6\lib ${HYPERION_HOME}\common\SAP\lib
Libraries (UNIX):
${HSS_HOME}/AppServer/InstalledApps/WebSphere/5.1 ${HSS_HOME}/AppServer/InstalledApps/WebSphere/HubProductBean.jar ${HSS_HOME}/AppServer/InstalledApps/WebSphere/commonscollections-3.1.jar ${HSS_HOME}/AppServer/InstalledApps/WebSphere/commons-dbcp.jar ${HSS_HOME}/AppServer/InstalledApps/WebSphere/commons-pool.jar ${HSS_HOME}/AppServer/InstalledApps/WebSphere/hyjdbc.jar ${HYPERION_HOME}/common/XML/JDOM/0.8.0/jdom.jar ${HYPERION_HOME}/common/JDBC/DataDirect/3.6/lib ${HYPERION_HOME}/common/SAP/lib
On Windows, add the following path to the Native Library Path field:
<HYPERION_HOME>\common\CSS\9.2.1.0\bin
d. Click OK.
128
Caution! Once you set the context root to interop, do not modify.
e. Click Next and then accept the defaults on the following screens until the Install New Application screen. f. Select the virtual host of your choice and select Hyperion System 9 Shared Services, click Next, then click Finish.
g. For Map modules to application servers, select Hyperion System 9 Shared Services, click Next, then click Finish. h. After the confirmation message about a successful deployment is displayed, click Save to Master Configuration.
g. Click OK.
129
d. Set a reasonable value for Reload Interval and then click OK. e. Under Additional Properties, select Libraries. f. Click Add and then select Hyperion Shared Services Libraries, and then click OK.
11 Select the Save command in the top menu bar to save the entire configuration. 12 Replace the jdom.jar file:
a. Locate the jdom.jar file in <WAS_HOME>/lib and rename it to jdom.jar_ori. b. Copy the jdom-b9.jar from:
<HSS_HOME>/AppServer/InstalledApps/WebSphere/5.1/
to
<WAS_HOME>/lib
13 Modify configuration files. For instructions, see Modifying Configuration Files on page 137. 14 Stop the WebSphere server application.
WebSphere is now configured to run Shared Services.
15 Start the WebSphere server application. 16 Log on User Management Console using this URL:
http://ServerName:ServerPort/interop; for example, http://localhost:58080/interop.
WebSphere 6.1
This section provides detailed instructions for manually deploying to WebSphere 6.1 application server. See Location References on page 124 for the list of location references used in this section to refer to the directories on your system. Before you begin deploying, review the Prerequisites on page 124.
For servername and portno, enter the server and port on which WebSphere is running. The default location is http://localhost:9060/ibm/console.
130
a. In the left frame, select Environments > WebSphere Variables. b. Select the server scope, click New, and create the following variables:
HYPERION_HOME: Set the value to the <HYPERION_HOME> directory you specified during installation. HSS_HOME: Set the value to the <HSS_HOME> directory you specified during installation.
Libraries (Windows):
${HSS_HOME}\AppServer\InstalledApps\other ${HSS_HOME}\AppServer\InstallableApps\other\HubProductBean.jar ${HYPERION_HOME}\common\JDBC\DataDirect\3.6\lib\hyjdbc.jar ${HSS_HOME}\AppServer\InstalledApps\other\commons-collections3.1.jar ${HSS_HOME}\AppServer\InstalledApps\other\commons-dbcp.jar ${HSS_HOME}\AppServer\InstalledApps\other\commons-pool.jar ${HYPERION_HOME}\common\XML\JDOM\0.8.0\jdom.jar ${HYPERION_HOME}\common\JDBC\DataDirect\3.6\lib ${HYPERION_HOME}\common\SAP\lib
Libraries (UNIX):
${HSS_HOME}/AppServer/InstalledApps/other ${HSS_HOME}/AppServer/InstallableApps/other/HubProductBean.jar ${HYPERION_HOME}/common/JDBC/DataDirect/3.6/lib/hyjdbc.jar ${HSS_HOME}/AppServer/InstalledApps/other/commons-collections3.1.jar ${HSS_HOME}/AppServer/InstalledApps/other/commons-dbcp.jar ${HSS_HOME}/AppServer/InstalledApps/other/commons-pool.jar ${HYPERION_HOME}/common/XML/JDOM/0.8.0/jdom.jar ${HYPERION_HOME}/common/JDBC/DataDirect/3.6/lib ${HYPERION_HOME}/common/SAP/lib
On Windows, add the following path to the Native Library Path field:
<HYPERION_HOME>\common\CSS\9.2.1.0\bin
d. Click OK.
131
Caution! Once you set the context root to interop, do not modify.
e. Click Next to accept the defaults. f. Select the virtual host of your choice and select Hyperion Shared Services, click Next, then click Finish.
g. After the Application Server is Successfully Deployed confirmation message is displayed, click Save to Master Configuration.
A name for the new chain (for example, HSS). A transport chain template (for security). A port name (for example, HSS), the host name (you can enter *) or IP address for that port, and the port number under which Shared Services is going to run.
d. Click Finish.
132
d. For Class Loader Order, select Class loaded with Application Class loader first. e. Set a reasonable value for Polling interval and then click OK. f. Under References, select Shared Library References.
g. Select the Hyperion System 9 Shared Services Module and click Reference Shared Libraries. h. Select the Hyperion Shared Services Libraries Shared Library. Then click OK.
11 Select the Save command in the top menu bar to save the entire configuration. 12 Modify configuration files. For instructions, see Modifying Configuration Files on page 137. 13 Stop the WebSphere server application.
WebSphere is now configured to run Shared Services.
14 Start the WebSphere server application. 15 Log on User Management Console using this URL:
http://ServerName:ServerPort/interop; for example, http://localhost:58080/interop.
2 In the left frame, select Servers > Application Servers; in the right frame, select SharedServices9 (or if
you installed manually, select the server to which you installed Shared Services).
3 Select Additional Properties Process Definition. 4 Select Additional Properties Java Virtual Machine. 5 Set Initial Heap Size to 128. (Size is in megabytes.) 6 Set Maximum Heap Size to as much memory as you can allocate for the computer.
Hyperion recommends a setting of 1024. (Size is in megabytes.)
133
7 Click OK. 8 Click OK. 9 Select the Save menu command. 10 Restart the Shared Services server.
2 Log on as the administrator to the WebSphere Administration Console using this URL:
http://servername:portno/admin
For servername and portno, enter the server and port on which WebSphere is running. The default location is http://localhost:9060/admin.
3 In the left frame, open the Servers folder, click Application Servers, and verify there is a server named
SharedServices9.
4 In the left frame, open the Environment folder, click Manage Websphere Variables, and ensure the context
is set to Cell=DefaultNode, Node=DefaultNode.
5 Ensure the HYPERION_HOME environment variable is set and that it points to the correct directory. If it
does not exist, create it.
6 In the left frame, open the Environment folder, click Virtual Hosts, and verify there is a virtual host named
hyperionVirtualHost:
If there is no virtual host named hyperionVirtualHost, follow these steps: i. Click New.
ii. Enter the name hyperionVirtualHost and click OK. iii. Select the hyperionVirtualHost link. iv. In Additional Properties, select the Host Aliases link. Click Add. v. Enter a Host Name of *. vi. Enter the port number to use for Shared Services.
Note: Each application port number must be unique. If you modify a default port number, change it
134
vii. Click OK to create the Host Alias. viii. Click OK to save the changes to hyperionVirtualHost. ix. Select Save to save the change.
ii. In Additional Properties, select the Host Aliases link. iii. Select the link * and verify the port number is the one specified during Shared Services installation. This port number must not be used by other Web applications on your server. Take one of these actions:
If the port number is used by another application, correct the port number and click OK to save the change. If the port number is correct, click Cancel to return to the previous screen.
iv. Click OK to save the changes to hyperionVirtualHost. v. If you changed the port number, select Save Menu to save the change.
7 In the left frame, open the Environment folder, click Shared Libraries, and verify the scope is set as
follows:
Cell=DefaultNode, Node=DefaultNode, Server=SharedServices9
If the scope is not set correctly: a. Expand the scope section. b. Correct the information and click Apply to save the change.
8 Verify there is a shared library at the server level called Hyperion Shared Services Libraries:
If the shared library does not exist, follow the procedure in the configuration section for creating this shared library. If the shared library exists, click the Hyperion Shared Services Libraries link and verify there is a carriage return after each class path. Click OK. If the shared library exists but was accidentally created at the node level, rename the server level library set and link it to the interop.war file (see step 10).
9 In the left frame, open the Applications folder, click Enterprise Application, and verify there is an
application called adminconsole_SharedServices9.
If the application does not exist, you cannot use Hyperion Configuration Utility when the SharedServices9 server is running. You can do what you are doing now, which is to start the server1 server, make your changes, shut down server1 and start the SharedServices9 service.
10 In the left frame, open the Applications folder, click Enterprise Application, and verify there is an
application called interop.war:
If the interop.war application does not exist, create one: i. Click Install and navigate to the file: <HSS_HOME>/AppServer/InstallableApps/ common/WebSphere/<version>/interop.war.
135
iii. Click Next to accept the defaults on the Bindings page. iv. Click Continue on the Application Security Warning page. v. Click Next to accept the defaults. vi. Select hyperionVirtualHost and select Hyperion Shared Services. Click Next. vii. Select Hyperion Shared Services. viii. Select the Server WebSphere: cell=DefaultNode, node=DefaultNode, and server=SharedServices9. Click Apply to move it to the Hyperion Shared Services Server. ix. Click Next. Click Finish. x. Select Save to Master Configuration and click Save. xi. In the left frame, open the Applications folder and click Enterprise Application.
If the interop.war application exists or if you just installed the interop.war application: i. Select the interop.war link.
ii. Select the Additional Properties Libraries link. iii. If the Hyperion Shared Services Libraries link is not displayed, click Add, select Hyperion Shared Services Libraries, and click OK. iv. Select Additional Properties Session Management. v. Select Enable Cookies and ensure the cookie name is set to HUBSESSIONID. Click OK to return to the previous screen. vi. Ensure Override is selected. Click OK to return to the previous page. vii. Click OK to save your changes. viii. Select the Save menu command to save your changes to the Master Configuration, and click Save again to save the changes. ix. In the HubProductBean.jar file, remove the classes related to the jce1_2_2.jar file. These are classes that are part of the package structure 'javax/crypto/' from HubProductBean.jar.
11 Log off the Administration page and stop the application server. 12 Start the SharedServices9 Application Server by typing the following text at the command prompt:
startServer server1 (Windows) or ./startServer.sh server1 (UNIX).
136
You can ignore most of the errors generated because you have yet to set up HUB. However, if the log file says it cannot find the Default.xml file, HUB cannot start and you must check whether it is because of one of these reasons:
The Hyperion Shared Services Libraries definition is incorrect and each class is not on its own line. The libraries are not defined for interop.war. The <HYPERION_HOME> environment variable is incorrect.
If after following these additional steps you still cannot start Shared Services, contact Hyperion Technical Support.
Driver Classes
Adapter Classes
URLs
For example,
jdbc:hyperion:sqlserver://user.hdc.net:1433;DatabaseName=hyperion
For Oracle:
jdbc:hyperion:oracle://hostname:1521;SID=SIDName
For example,
jdbc:hyperion:oracle://hyperion2003:1521;SID=ora92
For DB2:
137
jdbc:hyperion:db2://hostname:50000;DatabaseName=databasename; MaxPooledStatements=40;DynamicSections=3000
For example:
jdbc:hyperion:db2://user.hdc.net:50000;DatabaseName=HYPERION; MaxPooledStatements=40;DynamicSections=3000
Files To Modify
The following files require modification using the values provided in the previous section and in the following topics:
Domain.xml
Change the following values to the values for your relational database:
<parameter name="driver">JDBC_DRIVER</parameter> <parameter name="adapter">JDBC_ADAPTER</parameter> <parameter name="url">JDBC_URL</parameter> <parameter name="user">DB_USERNAME</parameter> <parameter name="password">DB_PASSWORD</parameter>
Change the value for css_config to a valid path for the CSS.xml file.
slide.properties
Change the value for org.apache.slide.domain to a valid path for the Domain.xml file. For example, if you are deploying to WebSphere 6, change the following value for org.apache.slide.domain:
138
org.apache.slide.domain=F:/cc/cms/server/AppServer/InstalledApps/ Tomcat/Base/Domain.xml
to this value:
org.apache.slide.domain=C:/Hyperion/SharedServices/9.2/AppServer/ InstalledApps/other/Domain.xml
CSS.xml
Ensure the hostname is used instead of localhost. The hostname is the name of the computer running OpenLDAP, not the computer running the Web server (if you have a Web server). Also ensure the correct port is being used for the OpenLDAP database. For example, change the following values:
<hub location="http://localhost:58080"> <dirPort>58089</dirPort> </hub>
to these values:
<hub location="http://hostname:58080"> <dirPort>58089</dirPort> </hub>
scheduler.properties
In the Configure Datasource section, update the following values for the database you are using. The following values apply if DB2 is used:
org.quartz.dataSource.myDS.driver = hyperion.jdbc.db2.DB2Driver org.quartz.dataSource.myDS.URL = jdbc:hyperion:db2://raghavr.hdc.net:50000;DatabaseName=JOYCE; MaxPooledStatements=40;DynamicSections=1000 org.quartz.dataSource.myDS.user = db2admin <database user name> org.quartz.dataSource.myDS.password = MqEM/uFmOZucduv9jcWaAg== <database password>
Values for Driver Class are listed in Driver Classes on page 137. Values for URLs are listed in URLs on page 137.
WorkflowEngine.properties
Update the following values for the database you are using. The following values apply if DB2 is used:
workflowEngine.jdbc.product=db2 workflowEngine.jdbc.driver=hyperion.jdbc.db2.DB2Driver workflowEngine.jdbc.url=jdbc:hyperion:db2://raghavr.hdc.net:50000; DatabaseName=JOYCE;MaxPooledStatements=40;DynamicSections=1000 workflowEngine.jdbc.user=db2admin <database user name>
139
Values for driver class are listed in Driver Classes on page 137. Values for URLs are listed in URLs on page 137. For the following field:
workflowEngine.jdbc.product=
140
APPENDIX
B
In This Appendix
Location References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Basic Deployment Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Detailed Deployment Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Modifying Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
141
Location References
The procedures in this section use the following location references to refer to the directories on your system:
<BEA_HOME> is the installation directory of the BEA WebLogic server; for example, C: \bea (Windows) or /opt/bea (UNIX). <HSS_HOME> is the directory in which you installed Shared Services. <HYPERION_HOME> is the directory you specified during the Hyperion product
installation.
<HSS_WL_HOME> is the location where Hyperion Configuration Utility puts the files
Prerequisites
Complete these tasks before beginning:
Install WebLogic application server and ensure it is running (see the application server documentation). Install the NodeManager service by running the installNodeMgrSvc.cmd script located in the <BEA_HOME>/server/bin directory and start the service after installation. Install Shared Services to the same computer as the application server (see Chapter 4, Installing and Upgrading Shared Services).
Note: Shared Services cannot be installed to directories with names containing spaces; for example, the Program Files directory.
After installation, run Hyperion Configuration Utility to configure Shared Services. Select the database configuration and application server deployment tasks. Provide the database information, and then select the manual deployment option on the Application Server selection panel. Selecting the manual deployment option copies the necessary files to:
<HSS_WL_HOME>
142
For detailed manual deployment instructions, see Detailed Deployment Instructions on page 144.
to:
<HSS_WL_HOME>/SharedServices9Domain/interop
commons-pool.jar commons-dbcp.jar
143
d. Copy mimemappings.properties from <HSS_WL_HOME> to the config folder in the WebLogic domain location.
on page 142.
144
b. On the left-hand side of the screen, select Machines and then the option to configure a new machine. Enter the name of the machine where WebLogic is installed and save the changes.
Note: The NodeManager service must be running on the computer where WebLogic is installed.
c. Select Servers and click SharedServices. Select the machine name that was created in the previous step and save the changes.
to:
<HSS_WL_HOME>/SharedServices9Domain/interop
file to web.xml.
145
commons-pool.jar commons-dbcp.jar
iv. Copy mimemappings.properties from <HSS_WL_HOME> to the config folder in the WebLogic domain location.
For 9.2 only: Install this deployment as an application. The target server is SharedServices. For 9.2 only: Retain the deployment name as interop. Select the option to make the deployment accessible from a specific location, and specify the full path to the interop folder.
146
10 Modify configuration files. See Modifying Configuration Files on page 147. 11 Copy the following files to the specified location (Windows and UNIX):
a. Copy the HubProductBean.jar file from:
<HSS_WL_HOME>/
to:
<HSS_WL_HOME>/SharedServices9Domain/interop/WEB-INF/lib
13 Start the SharedServices server. 14 For WebLogic 9.2 only: Select Deployments and then the interop web application and click Start ->
servicing all requests. Once the status of the application changes to "active", the application is available.
15 Launch http://localhost:58080/interop.
Driver Classes
147
Adapter Classes
URLs
For example,
jdbc:hyperion:sqlserver://user.hdc.net:1433;DatabaseName=hyperion
For Oracle:
jdbc:hyperion:oracle://hostname:1521;SID=SIDName
For example,
jdbc:hyperion:oracle://hyperion2003:1521;SID=ora92
For DB2:
jdbc:hyperion:db2://hostname:50000;DatabaseName=databasename; MaxPooledStatements=40;DynamicSections=3000
For example:
jdbc:hyperion:db2://user.hdc.net:50000;DatabaseName=HYPERION; MaxPooledStatements=40;DynamicSections=3000
Files To Modify
The following files require modification using the values provided in the previous section and in the following topics:
These files are located in the <HSS_WL_HOME> directory. See Location References on page 142.
Domain.xml
Change the following values to the values for your relational database:
<parameter name="driver">JDBC_DRIVER</parameter> <parameter name="adapter">JDBC_ADAPTER</parameter> <parameter name="url">JDBC_URL</parameter> <parameter name="user">DB_USERNAME</parameter>
148
<parameter name="password">DB_PASSWORD</parameter>
Change the value for css_config to a valid path for the CSS.xml file. For example, if you are deploying to WebLogic, change the following value for css_config:
<parameter name="css_config">file:///F:/cc/cms/server/deployments/ Tomcat/Base/CSS.xml</parameter>
to this value:
slide.properties
Change the value for org.apache.slide.domain to a valid path for the Domain.xml file. For example, if you are deploying to WebLogic, change the following value for org.apache.slide.domain:
org.apache.slide.domain=F:/cc/cms/server/AppServer/InstalledApps/ Tomcat/Base/Domain.xml
to this value:
149
CSS.xml
Ensure the hostname is used instead of localhost. The hostname is the name of the computer running OpenLDAP, not the computer running the Web server (if you have a Web server). Also ensure the correct port is being used for the OpenLDAP database. For example, change the following values:
<hub location="http://localhost:58080"> <dirPort>58089</dirPort> </hub>
to these values:
<hub location="http://hostname:58080"> <dirPort>58089</dirPort> </hub>
scheduler.properties
In the Configure Datasource section, update the following values for the database you are using. The following values apply if DB2 is used:
org.quartz.dataSource.myDS.driver = hyperion.jdbc.db2.DB2Driver org.quartz.dataSource.myDS.URL = jdbc:hyperion:db2://raghavr.hdc.net:50000;DatabaseName=JOYCE; MaxPooledStatements=40;DynamicSections=1000 org.quartz.dataSource.myDS.user = db2admin <database user name> org.quartz.dataSource.myDS.password = MqEM/uFmOZucduv9jcWaAg== <database password>
Values for Driver Class are listed in Driver Classes on page 147. Values for URLs are listed in URLs on page 148.
WorkflowEngine.properties
Update the following values for the database you are using. The following values apply if DB2 is used:
workflowEngine.jdbc.product=db2 workflowEngine.jdbc.driver=hyperion.jdbc.db2.DB2Driver workflowEngine.jdbc.url=jdbc:hyperion:db2://raghavr.hdc.net:50000; DatabaseName=JOYCE;MaxPooledStatements=40;DynamicSections=1000 workflowEngine.jdbc.user=db2admin <database user name> workflowEngine.jdbc.password=MqEM/uFmOZucduv9jcWaAg== <database password>
Values for driver class are listed in Driver Classes on page 147. Values for URLs are listed in URLs on page 148. For the following field:
workflowEngine.jdbc.product=
150
151
152
APPENDIX
C
In This Chapter
This appendix provides information about manually deploying Shared Services to Oracle 10.1.3.1.0 application server.
Location References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Basic Deployment Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Detailed Deployment Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Modifying Files After Manual Application Server Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
153
Location References
The procedures in this section use the following location references to refer to the directories on your system:
<HSS_HOME> identifies the directory in which you installed Shared Services. <HYPERION_HOME> identifies the directory for Hyperion products. <ORACLE_HOME> identifies the installation location of Oracle 10g application server. For detailed manual deployment instructions, see Detailed Deployment Instructions on page 156.
Note: Unless noted specifically in this chapter, forward slashes in directory paths apply to both Windows and UNIX.
Prerequisites
Complete these tasks before beginning:
Install Oracle application server and ensure it is running (see the application server documentation). Install Shared Services to the same computer as the application server (see Chapter 4, Installing and Upgrading Shared Services). Shared Services cannot be installed to directories with names containing spaces; for example, C:\Program Files (Windows) or $HOME/Program Files (UNIX).
After installation, run Hyperion Configuration Utility to configure Shared Services. Configure the database, and then on the application server selection panel, select Tomcat as the application server for deployment and select the manual deployment option. (There is no option for Oracle application server.) Then follow the steps in this chapter to complete the manual deployment. The files copied by Hyperion Configuration Utility for Tomcat are not needed for the Oracle deployment.
154
UNIX:
<HSS_HOME>/AppServer/InstallableApps/other; <HSS_HOME>/AppServer/InstallableApps/common; <HSS_HOME>/AppServer/other/commons-collections-3.1.jar; <HSS_HOME>/AppServer/InstallableApps/other/commons-dbcp.jar; <HSS_HOME>/AppServer/InstallableApps/other/commons-pool.jar; <HSS_HOME>/AppServer/InstallableApps/other/HubProductBean.jar; <HYPERION_HOME>/common/JDBC/DataDirect/3.6/lib/hyjdbc.jar; <HYPERION_HOME>/common/loggers/Log4j/1.2.8/lib/log4j-1.2.8.jar; <HYPERION_HOME>/common/SAP/lib;
UNIX:
<HYPERION_HOME>/common/SAP/bin; <HYPERION_HOME>/common/CSS/9.2.1.0/bin;
Ensure that you keep the bsf.jar and rhino.jar files in the classpath. The jar files are available in the following location:
<ORACLE_HOME>/j2ee/home/applications/<ApplicationName>/interop/ WEBINF/lib
155
http://downloadwest.oracle.com/docs/cd/B14099_19/core.1012/b13995/ports.htm#CIHJEEJH
2 Start Oracle application server by opening a Web browser, setting the URL to
http://localhost:8888 or http://<servername>:<portname>, and specifying the
3 Log on to the Oracle 10G Application Server Console. 4 Deploy the Web application:
a. Under Groups, click the OC4J instance; for example, Home, where you want to deploy . b. Click Applications and then click Deploy. c. On the Select Archive page, click Browse and select
<HSS_HOME>\AppServer\InstallableApps\common\interop.war (Windows)
or
<HSS_HOME>/AppServer/InstallableApps/common/interop.war (UNIX)
d. Click Next. e. On the Application Attribute page, specify an application name; for example, SharedServices9 and change Context Root to /interop.
f.
Click Next.
g. Set the classpaths and path: i. On the Deployment Settings page under Deployment Tasks, click the Go to Task link next to the Configure Class Loading task.
ii. Under Configure Web Module Class Loaders, enter the following values (separated by semicolons) for Classpath Value:
<HSS_HOME>\AppServer\InstallableApps\other; <HSS_HOME>\AppServer\InstallableApps\common;
156
UNIX:
<HSS_HOME>/AppServer/InstallableApps/other; <HSS_HOME>/AppServer/InstallableApps/common; <HSS_HOME>/AppServer/other/commons-collections-3.1.jar; <HSS_HOME>/AppServer/InstallableApps/other/commons-dbcp.jar; <HSS_HOME>/AppServer/InstallableApps/other/commons-pool.jar; <HSS_HOME>/AppServer/InstallableApps/other/HubProductBean.jar; <HYPERION_HOME>/common/JDBC/DataDirect/3.6/lib/hyjdbc.jar; <HYPERION_HOME>/common/loggers/Log4j/1.2.8/lib/log4j-1.2.8.jar; <HYPERION_HOME>/common/SAP/lib; Note: Separate each value with a semicolon.
UNIX:
<HYPERION_HOME>/common/SAP/bin; <HYPERION_HOME>/common/CSS/9.2.1.0/bin;
Ensure that you keep the bsf.jar and rhino.jar files in the classpath. The jar files are available in the following location:
<ORACLE_HOME>/j2ee/home/applications/<ApplicationName>/interop/ WEBINF/lib
iv. Click OK. h. On the Deployment Settings page, click Deploy. The Processing: Deploy page displays progress messages for the application being deployed. i. Click Return after you see the following confirmation message: Application "SharedServices9" successfully deployed.
157
5 Change the Oracle HTTP server listen port for Shared Services. Instructions for changing the Oracle HTTP
server listen port are documented at the following location:
http://download-west.oracle.com/docs/cd/B14099_19/core.1012/ b13995/ports.htm#CIHJEEJH
Driver Classes
Adapter Classes
URLs
For MySQL:
jdbc:mysql://hostname:3306/hub?useUnicode=true&characterEncoding =UTF-8
For example,
jdbc:mysql://raghavr.hdc.net:3306/hub?useUnicode=true& characterEncoding=UTF-8
For example,
jdbc:hyperion:sqlserver://udayk.hdc.net:1433;DatabaseName=raghav
For Oracle:
jdbc:hyperion:oracle://hostname:1521;SID=SIDName
For example,
jdbc:hyperion:oracle://hyperion2003:1521;SID=ora92
158
For DB2:
jdbc:hyperion:db2://hostname:50000;DatabaseName=databasename; MaxPooledStatements=40;DynamicSections=1000
For example:
jdbc:hyperion:db2://raghavr.hdc.net:50000;DatabaseName=JOYCE; MaxPooledStatements=40;DynamicSections=1000
Files To Modify
The following files require modification using the values provided in the previous section and in the following topics:
Domain.xml
Change the following values to the values for your relational database:
<parameter name="driver">JDBC_DRIVER</parameter> <parameter name="adapter">JDBC_ADAPTER</parameter> <parameter name="url">JDBC_URL</parameter> <parameter name="user">DB_USERNAME</parameter> <parameter name="password">DB_PASSWORD</parameter>
Change the value for css_config to a valid path for the CSS.xml file. For example, change the following value:
<parameter name="css_config">file:///F:/cc/cms/server/deployments/ Tomcat/Base/CSS.xml</parameter>
159
Slide.properties
Change the following value:
org.apache.slide.domain=F:/cc/cms/server/deployments/Tomcat/Base/ Domain.xml
CSS.xml
Ensure the hostname is used instead of localhost, and ensure the correct port is being used for the OpenLDAP database. For example, change the following values:
<hub location="http://localhost:58080"> <dirPort>58089</dirPort> </hub>
Scheduler.properties
In the Configure Datasource section, update the following values for the database you are using. The following values apply if DB2 is used:
org.quartz.dataSource.myDS.driver = hyperion.jdbc.db2.DB2Driver org.quartz.dataSource.myDS.URL = jdbc:hyperion:db2://raghavr.hdc.net:50000;DatabaseName=JOYCE; MaxPooledStatements=40;DynamicSections=1000 org.quartz.dataSource.myDS.user = db2admin <database user name> org.quartz.dataSource.myDS.password = MqEM/uFmOZucduv9jcWaAg== <database password>
Values for Driver Class are listed in Driver Classes on page 158. Values for URLs are listed in URLs on page 158.
WorkflowEngine.properties
Update the following values for the database you are using. The following values apply if DB2 is used:
160
workflowEngine.jdbc.product=db2 workflowEngine.jdbc.driver=hyperion.jdbc.db2.DB2Driver workflowEngine.jdbc.url=jdbc:hyperion:db2://raghavr.hdc.net:50000; DatabaseName=JOYCE;MaxPooledStatements=40;DynamicSections=1000 workflowEngine.jdbc.user=db2admin <database user name> workflowEngine.jdbc.password=MqEM/uFmOZucduv9jcWaAg== <database password>
Values for driver class are listed in Driver Classes on page 158. Values for URLs are listed in URLs on page 158. For the following field:
workflowEngine.jdbc.product=
161
162
APPENDIX
The procedures in this appendix help you to set up Shared Services in a cluster if you are using a hardware load balancer, which supports session persistence, or if you are setting up a cluster using a software load balancer (Proxy Plug-in). This appendix also provides information about replicating the OpenLDAP environment.
In This Appendix
About Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 About Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Using a Hardware Load Balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Using a Software Load Balancer (Proxy Plug-In) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Replicating the OpenLDAP Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
163
About Clustering
An application server cluster is a set of application servers running one application. The application server processes can run on one computer or on multiple computers. From a client view, a cluster appears to be one server instance. Clustered application servers behave similarly to single servers, except they provide load balancing and failover. All server instances in a cluster must reside in the same cell (defined in the following table) of an application server domain.
Note: Session failure is not supported with application server clusters.
Client processing requests are balanced, enabling incoming work requests to be distributed according to a configured WLM selection policy Failover capability provided by redirecting client requests to a running server when one or more servers are unavailable This improves the availability of applications and administrative services.
Systems can be scaled to serve a higher client load than provided by the basic configuration With clusters and cluster members, additional instances of servers can easily be added to the configuration.
Servers can be transparently maintained and upgraded while applications remain available for users Centralized administration of application servers and other objects
Clustering Terminology Definition An application server process running in its own Java Virtual Machine (JVM) A logical group of servers located on one physical computer Multiple nodes can exist on one computer, but for this document, assume only one node exists for each physical computer.
Node agent
An administrative process that manages the servers running on a node A node agent resides on one node.
Cell
A logical group of nodes belonging to one administrative domain A cell is a configuration concept, a way for administrators to logically associate nodes with one another. Administrators define the nodes that make up a cell according to whatever criteria make sense in their organizational environments.
164
Table 1
Clustering Terminology (Continued) Also called network deployment manager, it manages the multiple nodes in a distributed topology Technically, an application server running an instance of the administration console can manage the application servers configured in one cell. It does this by interacting with the node agent running on each physical computer in the cell.
Cell manager
Load balancing
Server clusters come in two main varieties: vertical and horizontal. These are sometimes referred to as vertical scalability and horizontal scalability. Vertical clustering refers to the practice of defining multiple clones of an application server on one physical computer. In some cases one application server, which is implemented by one JVM process, cannot fully utilize the CPU power of a large computer and drive CPU load up to 100%. Vertical clusters provide a straightforward mechanism to create multiple JVM processes that can fully utilize the processing power available as well as providing process level failover. Horizontal clustering refers to the more traditional practice of defining clones of an application server on multiple physical computers, thereby enabling one application to span several computers while presenting one system image. Horizontal cloning can provide increased throughput and failover.
Note: Never run clustering on multiple computers unless their clocks are synchronized using some form of timesynchronization service (daemon) running very regularly (the clocks must be within a second of each other). Never start a non-clustered instance against the same set of tables that another instance is running against. It causes serious data corruption and erratic behavior.
165
These instructions are not specific to clustering, but they explain how to install Shared Services.
2 When configuring the second, third, and fourth (and so on) nodes, perform these configurations:
Choose to reuse the data while configuring the relational storage for Shared Services. Modify the CSS.xml file to update the following element:
<hub location="http://HOSTNAME:PORT"> <dirPort>LDAP_PORT</dirPort> </hub>
The value for hub location is the primary (first node) Shared Services host name and port number. The value for dirPort is the port number of the OpenLDAP database on the primary Shared Services computer.
In the Domain.xml file, set the global cache to off. To do so, set the value of slidecache from on to off. To use the OpenLDAP servers on these nodes as failovers, follow the procedure in Replicating the OpenLDAP Environment on page 183.
3 Add the host name (IP address) of each of the nodes into the load balancer host list.
166
WebSphere Clustering
This section includes these procedures for WebSphere clustering:
Creating the Deployment Manager Cell on page 167 Setting Up the Shared Services Clustering Environment on page 168 Installing Shared Services To A Cluster on page 170 Adding Support for Additional Ports to the Default Host on page 171 Setting the Class Path on page 171 Deploying One Application on Multiple Servers on page 173 Selecting Server Settings on page 173 HTTP Web Plug-in Settings on page 174
Note: The procedures in this section use horizontal clustering on two physical computers.
2 Add two WebSphere nodes to the cell for the Deployment Manager:
a. On machine1, navigate to the WEBSPHERE\AppServer\bin directory. b. Type the following command:
addNode.bat <machineName>
For example: addNode.bat machine1 where <machineName> is the name of the computer on which the Deployment Manager is running.
Note: You cannot run the addNode command on two nodes simultaneously.
167
For example: WEBSPHERE\AppServer\bin>addNode.bat machine1 When you complete this procedure, you have a deployment manager, a node agent running on machine1, and a node agent running on machine2. To verify the installation to this point, review the following logs:
WEBSPHERE\AppServer\logs\nodeagent\SystemOut.log (on all computers) WEBSPHERE\DeploymentManager\logs\dmgr\SystemOut.log (on machine1)
Option 1: Install Shared Services on two computers with identical directory structures. Some jar files and configuration files are required before the server startup and runtime. For example:
c:\websphere on machine1 c:\websphere on machine2
With this option, there are two sets of configuration files available on two computers (Domain.xml, CSS.xml, WorkflowEngine.properties, and Scheduler.properties). If the configuration settings are changed on one computer, copy those files to the other computer manually. To overcome this problem, use option 2.
Option 2: Install Shared Services on one computer (for example, c:\websphere on machine1) and share the folder to machine2 with all permissions. Now map this folder on two computers (machine1 and machine2) designating J: for c:\websphere and i: for HYPERION_HOME. With this option, there is only one set of configuration files shared by the computers, so whenever the configuration settings are changed, they are automatically available for the computers.
2 In the Domain.xml file, set the global cache to off. To do so, set the value of slidecache from on to
off.
168
b. Start node agents on both computers using the startNode.bat command; for example, WEBSPHERE\AppServer\bin>addNode.bat. c. Open the Network Deployment Administrative Console. d. In the left frame, select Servers > Clusters. e. In the right frame, click New. f. Under Step 1: Enter Cluster Name: i. In Cluster Name, type a name for the cluster; for example, HubCluster.
ii. Deselect Prefer local enabled. iii. Select Create Replication Domain for this cluster. iv. Click Next. g. Under Step 2: Create New Clustered Servers: i. In Name, type a name for the cluster member; for example, HubClone1.
ii. In Select Node, select the node where the clustered member is created; for example, machine1. iii. In Weight, type 2. iv. Select the following options:
Generate Unique HTTP Ports Create Replication Entry in this Server Default application server template
v. Click Apply. h. On this page (Step 2: Create New Clustered Servers): i. In Name, type a name for the cluster member on the second computer; for example, HubClone2.
ii. In Select Node, select the node where the clustered member is created; for example, machine2. iii. In Weight, type 2. iv. Select the following options:
Generate Unique HTTP Ports Create Replication Entry in this Server Default application server template
v. Click Apply. i. On this page (Step 2: Create New Clustered Servers): i. In Name, type a name for the cluster member on the second computer; for example,
HubClone3.
ii. In Select Node, select the node where the clustered member is created; for example, machine2. iii. In Weight, type 4.
169
Generate Unique HTTP Ports Create Replication Entry in this Server Default application server template
v. Click Apply. WebSphere displays a list of cloned servers at the bottom of the page. j. Click Next.
k. Under Step 3: Summary, review the list of cloned servers and attributes:
If the summary is correct, click Finish and save. The cluster (HubCluster) is listed in the Server Cluster list. If the summary is incorrect, click Previous and make corrections.
To install Shared Services to the newly created WebSphere server cluster (HubCluster):
1 In the left frame, select Applications > Install New Application. 2 In the right frame, select the Local path option and click Browse. 3 Navigate to the WebSphere interop.war file and select it. 4 In Context Root, type interop. 5 Click Next. 6 Under Preparing for the application installation, accept the defaults and click Next. 7 Under Step 1: Provide options to perform the installation, accept the defaults and click Next. 8 Under Step 2: Map virtual hosts for web modules, in Virtual Host, select default_host and click Next. 9 Under Step 3: Map modules to application servers, perform the following actions:
a. Select Module. b. Select the cluster (HubCluster) and click Apply. c. Click Next. d. Under Step 4: Summary, click Finish. During cluster setup, three clones are created with unique HTTP ports, meaning the HTTP listeners for the internal servers running in each application server have values. The algorithm used by the administration process to create ports uses a default value (9080 for HTTP transport) and increments up to the next free value for each server defined. So in this case, when the Application Server was installed, a standalone server called server1 was created. When the node was added to the deployment manager, server1 was also migrated to become a manager server. Server1 uses port 9080 for its HTTP transport. On
170
machine1, HubClone1 was created using port 9081. On machine2, Hubclone2 uses port 9081 and HubClone3 uses port 9082. When installing the interop.war file, the default_host virtual host was used for the Web modules. By default, the default_host
accepts HTTP requests only on port 9080, so you must configure this virtual host to also accept requests for ports 9081 and 9082.
5 Repeat step 4 for ports 9082 and 58080. 6 Select the Synchronize changes with Nodes option and click Save to save the configuration.
Option 1: Install Shared Services on two computers with identical directory structures. Option 2: Install Shared Services on one computer (for example, c:\websphere on machine1) and share the folder to machine2 with all permissions.
To set the classpath if you chose deployment option 1 (install Shared Services on two
computers with identical directory structures):
1 In the left frame, open the Environment folder, and click the Manage WebSphere Variables link. 2 Click New and create the following variables:
HYPERION_HOME: Set the value to the HYPERION_HOME directory you specified during installation. The default is c:\hyperion. HSS_HOME: Set the value to the <HSS_HOME> directory you specified during installation. c:\hyperion\SharedServices\9.2.
3 In the left frame, open the Environment folder and click the Shared Libraries link.
171
4 Click New, name the shared library Hub libs, and add the following libraries to the shared library:
Classpath:
%HSS_HOME%\AppServer\InstallableApps\other\Hub_9_0_0ProductBean.jar %HSS_HOME%\AppServer\InstallableApps\common %HSS_HOME%\AppServer\InstallableApps\common\hyddtek.jar %HSS_HOME%\server\conf %HSS_HOME%\AppServer\InstallableApps\WebSphere\5.1 %HSS_HOME%\AppServer\InstallableApps\WebSphere\5.1\commons-dbcp.jar %HSS_HOME%\AppServer\InstallableApps\WebSphere\5.1\commons-collections-3.1.jar %HSS_HOME%\AppServer\InstallableApps\WebSphere\5.1\commons-pool.jar
To set the classpath if you chose deployment option 2 (install Shared Services on one computer
and share the folder to a second computer with all permissions):
1 In the left frame, open the Environment folder and click the Manage WebSphere Variables link. 2 Click New and create the following variables:
HYPERION_HOME: Set the value to the HYPERION_HOME directory you specified during installation; for example, i:\. HSS_HOME: Set the value to the HSS_HOME directory you specified during installation; for example, j:\hyperion\SharedServices\9.2.
3 In the left frame, open the Environment folder, and click the Shared Libraries link. 4 Set the class path scope to the cell level. To specify cell scope, clear Node and Server and click Apply. 5 Click New, name the shared library Hub libs, and add the following libraries to the shared library:
Classpath:
${HSS_HOME}/Hub9_0_0ProductBean.jar ${HSS_HOME}/other/hyddtek.jar ${HSS_HOME}/other ${HSS_HOME}/server/conf
172
5 Next to Session tracking mechanism, select Enable Cookies. Click Apply. 6 Click Enable Cookies and change the cookie name to HUBSESSIONID.
173
7 Click Apply. Click OK. 8 In the Session Management Configuration tab, scroll down to Additional Properties and click Distributed
Environment Settings.
9 Next to Distributed Sessions, select Memory to Memory Replication. Click Apply. 10 Click Memory to Memory Replication. 11 In Runtime mode, select Both client and server. 12 Click Apply. Click OK. 13 Scroll down to Additional Properties and click Custom Tuning Parameters. 14 Next to Tuning level, select Low (optimize for failover). 15 Click Apply. Click OK. 16 In the left frame, select Servers > Application Servers and in the right frame, click HubClone1. 17 In the Configuration tab, scroll down to Additional Properties and click Web Container. 18 Under Addition Properties, click HTTP transports. 19 Click the 9081 port Host * to set the custom properties. 20 Scroll down to Additional Properties and click Custom Properties. 21 Under Custom Properties, click New and add the following custom properties:
ConnectionIOTimeout = 30 ConnectionKeepAliveTimeout = 30
22 Repeat the steps for selecting server settings for all servers (hubClone2, hubClone3) in the cluster. 23 Save the configuration, ensuring Synchronize changes with Nodes is selected.
2 Open the $DeploymentManager_Home\config\cells\plugin-cfg.xml file. 3 Change the value for AcceptAllContent from "false" to "true".
For example:
<Config ASDisableNagle="false" AcceptAllContent="true" IISDisableNagle="false" IgnoreDNSFailures="false" RefreshInterval="60" ResponseChunkSize="64">
4 Save the plugin-cfg.xml file changes. 5 You can manually copy the plugin-cfg.xml file to the WebSphere installation directory or you can
update the location of the plug-in file in the httpd.conf file. Select one of the following options:
174
Copy the plugin-cfg.xml from the \DeploymentManager\config\cells folder to <WAS_HOME>\config\cells\plugin-cfg.xml. Open the $IBMHttpServer_HOME\conf\httpd.conf file. The last line of this file contains a location for the plugin-cfg.xml file. Change the location of the plugincfg.xml file to <WAS_HOME>\config\cells\plugin-cfg.xml and save the httpd.conf file changes.
WebLogic Clustering
This section includes the following procedures for WebLogic clustering:
Creating Server Clusters on page 175 Setting Node Manager Properties on page 177 Setting Up WebLogic Deployment Descriptors on page 179 Removing the IP Address from Config.xml on page 180 Setting the Path on page 180 Starting the Managed Servers from the WebLogic Server Console on page 182 Deploying the Web Application Module on page 182 Serving WebLogic WebDav Methods In a Cluster Mode on page 183
2 On the first screen, select Create a new WebLogic configuration and click Next. 3 Under Select a Configuration Template, select the Basic WebLogic Server Domain template and click
Next.
4 Under Choose Express or Custom Configuration, select Custom and click Next. 5 Under Configure the Administration Server:
a. In Name, type InteropAdminServer. b. From Listen Address, select All Local Addresses. c. In Listen Port, type 7001. d. Click Next.
6 Under Managed Servers, Clusters, and Machines Options, select Yes and click Next. 7 Under Configure Managed Servers, click Add and take the following actions:
a. In Name, type FirstServer. b. In Listen Address, select All Local Addresses.
175
c. In Listen Port, type 8001. d. Repeat steps 7a, 7b, and 7c to add three additional servers with the following entries:
Name SecondServer OtherMachineServer HTTpProxyServer Listen Address All Local Addresses All Local Addresses All Local Addresses Listen Port 8002 8003 8004
e. Click Next.
8 Under Configure Clusters, click Add and type the following text. Click Next:
In Name, type InteropCluster. In Multicast address, type 237.0.0.101. In Multicast port, type 8050.
10 Under Create HTTP Proxy Applications, select Create HTTP proxy for cluster InteropCluster and select
HttpProxyServer. Click Next.
11 Under Configure Machines, create the computer names with unique port numbers to which you are
mapping your managed server in the next step. Click Next.
For example:
Name Machine1 Machine2 Node manager listen address All Local Addresses All Local Addresses Node manager listen port 5555 4321
12 Under Assign Servers to Machines, map the managed server to the respective machines. Click Next. 13 Under Database (JDBC) Options, select No and click Next. 14 Under Messaging (JMS) Options, select No and click Next. 15 Under Application and Services Targeting Options, select No and click Next. 16 Under Configure Administrative Username and Password:
a. In Name, type weblogic. b. In Password and Confirm user password, type weblogic. c. Select No and click Next.
176
2 Open the nodemanager.properties file. 3 Set the following properties in the nodemanager.properties file:
ListenAddress = machinename ListenPort = 5555 ReverseDnsEnabled = true WeblogicHome = c:\bea\weblogic81 bea.home = c:\bea
4 Save and close the nodemanager.properties file. 5 Open the installNodeMgrSvc.cmd file in the <bea_HOME>\weblogic81\server\bin
directory.
Note: The WebLogic Server installation process installs Node Manager as an operating system service: a daemon on UNIX systems, or a Windows service on Windows systems.
177
6 Edit the installNodeMgrSvc.cmd file to specify the node manager's listen address and listen port
as follows:
set NODEMGR_HOST=machineName set NODEMGR_PORT=5555
7 Save and close the installNodeMgrSvc.cmd file. 8 Open the uninstallNodeMgrSvc.cmd file in the same directory and make the changes you made in
step 6.
9 Save and close the uninstallNodeMgrSvc.cmd file. 10 Run the installNodeMgrSvc.cmd file to reinstall Node Manager as a service, listening on the
updated address and port.
11 Go to the second computer and repeat the preceeding steps for the nodemanager.properties file,
the installNodeMgrSvc.cmd file, and the uninstallNodeMgrSvc.cmd file.
Note: When setting the properties in the nodemanager.properties file for the second computer, do not add the ListenAddress property. Also update the ListenPort, WeblogicHome, and bea.home properties as applicable for the second computer.
12 On the first computer, open a command prompt, specify the directory <bea_HOME>\
user_projects\domains\InteropSetup, and run the startWebLogic.cmd.
13 If you are asked for a username and password, type weblogic / weblogic. 14 On the first computer, open the nodemanager.hosts file in <bea_HOME>\weblogic81\
common\nodemanager and add the computer name or IP address of the second computer where the
OtherMachineServer is running.
For example:
# Host names from which the connection to the # node manager will be accepted. # You can edit this file manually. # E.g. - for allowing a machine named holly to connect, # uncomment one of the following lines based on whether # ReverseDnsEnabled property is turned on or off. #holly.bea.com #172.17.24.145 192.168.159.200 hyperiontest3
15 Save and close the nodemanager.hosts file on the first computer. 16 On the second computer, open the nodemanager.hosts file in <bea_HOME>\weblogic81\
common\nodemanager and add the computer name or IP address of the first computer.
178
Also, add these tags to the two weblogic.xml configuration files in the following BEA directories:
Add the following <init-param> tags (in bold text below) to the web.xml file under the following directories:
179
3 Delete the value for FrontendHost; for example, FrontendHost="". 4 Save and close the config.xml file.
$BEA_DIR is the installation directory of the BEA WebLogic server; for example, in Unix, /opt/bea, and, in Windows, c:\bea. $HYPERION_HOME is the directory where HYPERION_HOME is set; for example, c:\hyperion (Windows) or /home/username/Hyperion (UNIX). $HSS_HOME is the directory in which you installed Shared Services; for example, c:\hyperion\SharedServices\9.2 (Windows) or /home/username/Hyperion/SharedServices/9.2 (UNIX).
2 In the login screen type weblogic for the Username and Password. 3 After you are logged on to the WebLogic Server Console, expand the Machines node in the left frame to
view the two computer names you created in the WebLogic Configuration Wizard.
180
5 In the right frame, select the Monitoring tab and view the Node Manager Status. Check that the State is
RUNNING.
6 Select the second computer listed under the Machines node, select the Monitoring tab and check that the
State is RUNNING for the second computer.
If the states are RUNNING, you can proceed to the next step.
7 In the left frame, click the Servers node to view the servers you created in the WebLogic Configuration
Wizard. Click FirstServer under the Servers node.
8 In the right frame, click the Remote Start tab and enter the following settings:
a. Set Java Home to c:\bea\jdk142_05. b. Set BEA Home to c:\bea. c. Copy the jar file CR228256_81sp4_v2.jar from C:\Hyperion\SharedServices\ 9.2\AppServer\InstallableApps\WebLogic\8.1 to C:\bea\weblogic81\ server\lib. d. Set Class Path as follows:
$BEA_DIR\weblogic81\server\lib\cr228256_81sp4_v2.jar; $BEA_DIRweblogic81\server\lib\weblogic.jar; $BEA_DIR\weblogic81\server\lib\ojdbc14.jar; $BEA_DIR\weblogic81\server\lib\webservices.jar; $BEA_DIR\jdk142_05\lib\tools.jar; $HSS_HOME\AppServer\InstallableApps\other\Hub9_0_0ProductBean.jar; $HSS_HOME\AppServer\InstallableApps\catalina.jar; $HSS_HOME\AppServer\InstallableApps\other\commons-dbcp.jar; $HSS_HOME\AppServer\InstallableApps\other\commons-collections.jar; $HSS_HOME\AppServer\InstallableApps\other\commons-pool.jar; $HSS_HOME\AppServer\InstallableApps\common\hyddtek.jar; $HSS_HOME\AppServer\InstallableApps\other\jdom-b9.jar; $HSS_HOME\AppServer\InstallableApps\common
f.
While updating the classpath for OtherMachineServer, enter the applicable classpath for the second computer.
Note: Hyperion assumes the installation structure for WebLogic and Shared Services are identical for the computers where the Managed Servers for clustering were created.
181
10 In the left frame, select FirstServer, and in the right frame, select the KeyStores & SSL tab. 11 Scroll down and click Show Advanced Options. 12 Under Advanced Options, from Hostname Verification, select None. 13 Repeat steps 10, 11, and 12 for the remaining managed servers (SecondServer and
OtherMachineServer).
14 In the left frame, select the first computer listed under the Machines node and update the Listen
Address of HTTpProxyServer.
15 Select the Node Manager tab and add the Listen Address for each computer listed under the Machines
node.
In the Domain.xml file, set the global cache to off. To do so, set the value of slidecache from on to off. In the scheduler.properties file, uncomment the following line:
org.quartz.jobStore.isClustered=true
4 Click Target Module. 5 Under Clusters, select InteropCluster. 6 Select All servers in the cluster and click Continue. 7 Accept all defaults and click Deploy.
182
3 Remove the following classes from all weblogic.jar files on all computers where the managed servers
are installed:
183
Create the following directory for storing the replication related log files:
drive:\OpenLdap\logfiles
b. On machine2, update the <HSS_HOME>\OpenLdap\slapd.conf file (slave) with the following changes: i. Include an updatedn line as follows:
updatedn cn=Replicator,dc=css,dc=hyperion,dc=com Note: Ensure the value of the updatedn entry is the same as the binddn entry in the master slapd.conf file.
ii. Update the rootdn value to be the same as the updatedn (Replicator) value:
rootdn cn=Replicator,dc=css,dc=hyperion,dc-com
6 Copy the contents from the machine1 (Master) database directory to machine2 (Slave) database
directory. Copy all database files located in the database directory specified in the slapd.conf file.
184
8 Start the Shared Services LDAP Service on machine1 (Master). 9 Start the Shared Services LDAP Service on machine2 (Slave). 10 Start slurpd on machine1 as follows:
For Windows:
$HSS_HOME\openLdap\slurpd -f <masterslapdconfigfile>
For UNIX:
./slurpd -f /var/Hyperion/SharedServices/9.2/openLDAP/usr/local/etc/ openldap/slapd.conf -t /var/Hyperion/SharedServices/9.2/openLDAP/usr/local/var/ openldap-slurp
from
/var/Hyperion/SharedServices/9.2/openLDAP/usr/local/libexec
For Solaris:
a. Make a copy of the startOpenLDAP.sh file in the openLDAP folder and rename it to startSlurpd.sh (or another name you choose). b. Open the renamed file and change the following codeline:
$OPENLDAP_HOME/usr/local/libexec/slapd -f $OPENLDAP_HOME/usr/local/etc/openldap /slapd.conf -h ldap://wolverine:58089 -d 1
to
$OPENLDAP_HOME/usr/local/libexec/slurpd -f $OPENLDAP_HOME/usr/local/etc/openlda p/slapd.conf -t /vol1/Hyperion/SharedServices/9.2/openLDAP/usr/local/var/openlda p-slurp -d 1
185
186
APPENDIX
E
In This Appendix
This appendix describes how to back up and recover Shared Services data and configuration files in the event of a failure.
Backing Up Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Recovering Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Running the Sync OpenLDAP Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
187
A relational database Shared Services supports several relational databases. The relational database stores the event, administrator, and metadata-services-related data. Supported database versions are listed in Chapter 3, Planning the Shared Services Installation. The procedures for backing up the relational database are specific to the type of database Shared Services is configured against. See the database vendor documentation for the procedure to back up relational database data.
An OpenLDAP database The OpenLDAP database is installed with Shared Services and is automatically configured by Shared Services. OpenLDAP stores the security-services-related data.
To ensure that Shared Services can recover from catastrophic failure, these data sources must be backed up simultaneously to ensure that the data in these sources is synchronized.
1 Ensure that the Shared Services database is in online backup mode. 2 Run the following command:
For Windows:
<HSS_HOME>\server\scripts\backup.bat backup_folder_name
where <HSS_HOME> is the location where Shared Services is installed and backup_folder_name is the path to the backup folder. For example:
c:\hyperion\SharedServices\9.2\server\scripts\ backup.bat c:\HSS_backup
188
For UNIX:
<HSS_HOME>/server/scripts/backup.sh backup_folder_name
where <HSS_HOME> is the location where Shared Services is installed and backup_folder_name is the path to the backup folder. For example:
/home/username/Hyperion/SharedServices/9.2/server/scripts/ backup.sh /home/username/HSS_backup
3 Optional: Copy the backup folder to a backup device such as a CD-ROM, alternate disk, or tape.
Files Backed Up
These files are backed up:
Directory Files Domain.xml slide.properties CSS.xml WorkflowEngine.properties Scheduler.properties manage_data.properties <HSS_HOME>\OpenLDAP <HSS_HOME>\OpenLDAP\var\openldap-data slapd.conf *.bdb files log.* files
<HSS_HOME>\AppServer\InstalledApps\appServer\version\
189
For Windows:
<HSS_HOME>\server\scripts\recover.bat backup_folder_name
where <HSS_HOME> is the location where Shared Services is installed and backup_folder_name is the path to the backup folder. For example:
c:\hyperion\SharedServices\9.2\server\scripts\ recover.bat c:\HSS_backup
For UNIX:
<HSS_HOME>/server/scripts/recover.sh backup_folder_name
where <HSS_HOME> is the location where Shared Services is installed and backup_folder_name is the path to the backup folder. For example:
/home/username/Hyperion/SharedServices/9.2/server/scripts/ recover.sh /home/username/HSS_backup
The recover script picks up the backed up configuration and data files from the backup directory and places them in the appropriate directory under <HSS_HOME>. For the list of restored files, see Files Backed Up on page 189.
For Windows:
<HSS_HOME>\server\scripts\recover.bat backup_folder_name catRecovery
where <HSS_HOME> is the location where Shared Services is installed and backup_folder_name is the path to the backup folder. For example:
c:\hyperion\SharedServices\9.2\server\scripts\ recover.bat c:\HSS_backup catRecovery
For UNIX:
<HSS_HOME>/server/scripts/recover.sh backup_folder_name catRecovery
where <HSS_HOME> is the location where Shared Services is installed and backup_folder_name is the path to the backup folder. For example:
/home/username/Hyperion/SharedServices/9.2/server/scripts/ recover.sh /home/username/HSS_backup catRecovery
The recover script picks up the appropriate configuration and data files from the backup directory and places them in the appropriate directory under <HSS_HOME>.
190
APPENDIX
F
When you use the Shared Services External Authentication Provider Configuration Console to set up external authentication, the console writes your configuration information to the CSS.xml file packaged with Shared Services. The CSS.xml file is located on the computer hosting Shared Services, at:
<HSS_HOME>\AppServer\InstallableApps\common\CSS.xml
where <HSS_HOME> represents the directory where Shared Services was installed. Completion of the Shared Services configuration populates most of the XML file, but there are some additional elements you can configure. See Additional Configuration Elements on page 88.
In This Appendix
Basic XML Configuration Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Extended XML Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
191
192
193
<maxSize>200</maxSize> <identityAttribute>dn</identityAttribute> <user> <url>ou=people</url> <loginAttribute>uid</loginAttribute> <fnAttribute>givenname</fnAttribute> <snAttribute>sn</snAttribute> <emailAttribute>mail</emailAttribute> <objectclass> <entry>person</entry> <entry>organizationalPerson</entry> <entry>inetOrgPerson</entry> </objectclass> </user> <group> <url>ou=Groups</url> <nameAttribute>cn</nameAttribute> <objectclass> <entry>groupofuniquenames?uniquemember</entry> <entry>groupOfNames?member</entry> </objectclass> </group> </msad> </provider> </spi> <searchOrder> <el>ntlmServer</el> <el>ldapServer</el> <el>msadServer</el> </searchOrder> <token> <timeout>60</timeout> </token> <logger> <priority>FATAL</priority> </logger> <!-- <securityAgent name="NETEGRITY"/> For SiteMinder integration with web-based Hyperion applications --> </css>
194
APPENDIX
G
In This Appendix
Shared Services Log Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Debugging Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Shared Services Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Setting Log Levels for the OpenLDAP Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Troubleshooting OpenLDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Utilities for Troubleshooting Shared Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Accessing the User Management Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Note: <HSS_HOME> is the directory in which you installed Shared Services; for example, c:\Hyperion\SharedServices\9.2. on Windows and /home/username/Hyperion/SharedServices/9.2 on UNIX.
195
CSS.xml HSSLogger.properties
The location of these files varies depending on the application server you are using. For example, if you installed Shared Services 9.2.1 with Tomcat 5.0.28 as the application server, these files would be located in <HSS_HOME>\AppServer\InstalledApps\Tomcat\5.0.28.
For external authentication and single sign-on: i. Launch the Shared Services External Authentication Configuration Console.
ii. In the Additional Configuration section, locate Logging Level. iii. In Logging Level, select DEBUG. iv. Click Save. Changes are written to the CSS.xml file.
For Shared Services models, open the HSSlogger.properties file and set the value for log4j.logger.com.hyperion.eie to DEBUG. For example, log4j.logger.com.hyperion.eie=DEBUG. Save your changes. For the Shared Services User Management Console, open the HSSlogger.properties file and set the value for log4j.logger.com.hyperion.cas to DEBUG. For example, log4j.logger.com.hyperion.cas=DEBUG. Save your changes. For Shared Services taskflows, open the HSSlogger.properties file and set the values for the following to DEBUG:
Save your changes. You must restart Shared Services after making changes to the log levels settings.
196
Most of the preceding server logs are located in the Shared Services logs directory. For example:
For Tomcat, the logs are located at <HSS_HOME>\AppServer\InstalledApps\ Tomcat\5.0.28\SharedServices9\logs. For Weblogic, the logs are located at <HSS_HOME>\AppServer\InstalledApps\ WebLogic\<version>\SharedServices9\logs. For Websphere, the logs are located at <HSS_HOME>\AppServer\InstalledApps\ Websphere\5.x\SharedServices9\logs.
In addition to the preceding locations, the External Authentication client log (SharedServices_Security_Client.log) file is located in the Temp directory of the product using the external authentication client. The location of the Temp directory varies based on the application server and platform you are using.
197
OpenLDAP Windows service is automatically configured with the -d flag. For UNIX, the startup script for OpenLDAP has the option. The setting of this flag is taken care of by the installer. Some examples: If you start OpenLDAP with the following command:
slapd -d 0
No details are logged in the OpenLDAP server console. Conversely, if you start OpenLDAP with the following command:
slapd -d -1
All details of every operation carried out are logged in the OpenLDAP server console. To selectively enable the log level for viewing access control list processing, start OpenLDAP using the following command:
slapd -d 128
The OpenLDAP server console displays access control data like which user has what kind of access on a particular resource.
Table 2
OpenLDAP Startup Commands Log Details Enable all debugging Description Provides the most logs. Logs include every transaction or query done with OpenLDAP. No logs are provided. Traces function calls in OpenLDAP Enables debugging of packet handling in OpenLDAP Provides a huge amount of trace with data searched in database Displays all data available in database with its internal process logs Displays all packets sent & received Displays all filter and search data available in OpenLDAP Displays configured data like Object class and its attributes, and so on Displays access control data like which user has what kind of access on a particular resource
slapd -d 0 slapd -d 1 slapd -d 2 slapd -d 4 slapd -d 8 slapd -d 16 slapd -d 32 slapd -d 64 slapd -d 128
No debugging Trace Debug packet handling Heavy trace debugging Connection management Print out packets sent and received Search filter processing Configuration processing Access control list processing
198
Table 2
OpenLDAP Startup Commands (Continued) Log Details Stats log connections/operations/results Description Displays add/modify/delete operations on a particular resource. (The -1 option displays this as well, but the 256 option provides fewer logs than the -1 option.) Displays connection number, operation number, and the DN values Displays index properties of each attribute in an object class Provides schema-level detail Displays database cache processing data like index parameters and so on. Provides database index details Displays replica processing operations (master/slave OpenLDAP configuration)
slapd -d 512 slapd -d 1024 slapd -d 2048 slapd -d 4096 slapd -d 8192 slapd -d 16384
Stats log entries sent Print communication with shell backends Print entry parsing debugging Database cache processing Database indexing Syncrepl consumer processing
Troubleshooting OpenLDAP
If you are having problems connecting to the Shared Services OpenLDAP database on a specific machine, try changing the host name to an IP address in these files: Windows
<HSS_HOME>\AppServer\InstalledApps\<AppServName>\<version>\CSS.xml
where <HSS_HOME> is the location where Shared Services is installed, <AppServName> is the name of the application server you deployed to, and <version> is the application server release number. For example:
c:\Hyperion\SharedServices\9.2\AppServer\InstalledApps\Tomcat\ 5.0.28\CSS.xml
In the CSS.xml file, find hostname and replace it with the IP address:
<hub location="http://hostname:58080"> <dirPort>58089</dirPort> </hub>
Troubleshooting OpenLDAP
199
UNIX
<HSS_HOME>/AppServer/InstalledApps/<AppServName>/<version>/CSS.xml
where <HSS_HOME> is the location where Shared Services is installed, <AppServName> is the name of the application server you deployed to, and <version> is the application server release number. For example:
/home/username/Hyperion/SharedServices/9.2/AppServer/ InstalledApps/Tomcat/5.0.28/CSS.xml
In the CSS.xml file, find hostname and replace it with the IP address:
<hub location="http://hostname:58080"> <dirPort>58089</dirPort> </hub>
<HSS_HOME>/openLDAP/startOpenLDAP.sh
where <HSS_HOME> is the location where Shared Services is installed. For example:
/home/username/Hyperion/SharedServices/9.2/openLDAP/ startOpenLDAP.sh
In the startOpenLDAP.sh file, find hostname and replace it with the IP address:
$OPENLDAP_HOME/usr/local/libexec/slapd -f $OPENLDAP_HOME/usr/local/etc/openldap /slapd.conf -h ldap://hostname:58089
200
2 Log on to the External Authentication Configuration Console. 3 Select Configuration > Sync OpenLDAP.
Shared Services synchronizes the relational and OpenLDAP databases.
Note: The Sync OpenLDAP utility does not synchronize provisioning details for users and groups on applications.
OpenLDAP Recovery
For details about using the recovery utilities, see Appendix E, Shared Services Backup and Recovery.
Validating Classpaths
Shared Services provides the following utility to validate classpaths:
http://localhost:58080/interop/jsp/config/tools/where_is.jsp Note: This is a prototype utility. This utility is not tested for portability across platforms, and so on.
201
202
Index
A
Active Directory Base DN, 76 host name, 76 port number, 76 referrals support, 94 Active Directory deployment scenario, 111, 114 to 116 address, of LDAP/MSAD provider, 76 AIX versions supported, 24 AIX platform JDK installation, 36 Anonymous bind, 76 Apache Tomcat application server software requirements, 23 to 24 version supported, 13 application servers Apache Tomcat, 23 to 24 BEA WebLogic, 23 to 24 clustering, 164 hardware requirements, 22 to 23 IBM WebSphere, 23 to 24 Oracle, 23 to 24 software requirements, 24 versions supported, 13 authentication repository, defined, 64 authentication, timeout setting, 87 Authorization Type, 79
default session timeout, 54 enabling HTTPS for version 8.1, 53 requirements, 26 software requirements, 23 to 24 versions supported, 14 binding anonymously, 76 browsers requirements, 22 settings, 23
C
cell manager, defined, 165 cell, defined, 164 classpaths, validating, 201 clustering about, 164 horizontal, 165 setting up Shared Services using, 163 vertical, 165 WebLogic application servers, 175 WebSphere 5.1.1, 167 configuration for external authentication, 73 for Shared Services server, 41 configuration file, defined, 64 configuration files, backing up, 188 Configuration Utility application server deployment, 47 database configuration, 44 database user rights, 42 described, 42 launching, 43 log file, 55 mail server configuration, 46
B
backing up, Shared Services data, 187 Base DN, LDAP/MSAD, 76 BEA WebLogic application server configuring for Shared Services, 141 to 142
Index A
203
order of tasks, 43 ports for application servers, 47 ports for databases, 44 prerequisites, 42 reconfiguration, 54 task list, 42 troubleshooting, 55 upgrades and, 43 CONNECT privilege, 25 cookies, enabling, 23 CREATE privilege, 25 CREATE TRIGGER, DROP TRIGGER AND MODIFY TRIGGER privilege, 25 CSS.xml file manually configuring, 88 samples, 191 viewing, 200 custom installation, 35 custom object-class entries for LDAP/MSAD groups, 93 for LDAP/MSAD users, 92
Hyperion Download Center, 16 Hyperion Solutions Web site, 16 Information Map, 16 online help, 16 Domain property for NT LAN Manager configuration, 81
E
e-mail attribute, 91 e-mail server, configuring, 46 error messages, configuring, 87 error, logging level, 87 exporting provisioning data, 15 external authentication, 34 configuration, 73 debug, 196 defined, 64 deleting a provider, 95 introduction, 61 External Authentication Configuration Console, about, 14
F D
databases backing up, 188 hardware requirements, 22 IBM DB2, 24 MySQL, 24 Oracle, 24 recovering data, 189 SQL Server, 24 supported, 13 DB2 databases versions supported, 24 debug logging level, 87 Shared Services, 196 deployment scenario Active Directory, 111, 114 to 116 LDAP, 110, 114 to 115, 117 NT LAN Manager, 112 to 115, 118 to 119 directory, home, 34 disk space requirements, 22 documentation, for Shared Services, 15 documents, accessing fatal, logging level, 87 files installed, 35 first-name attribute, 90 fnAttribute property, 90 folders installed HSS_HOME directory, 35 HYPERION_HOME directory, 36
G
group name attribute, 93 Group URL, 77 groups, location of in directory, 77
H
hardware load balancer, using, 166 hardware requirements application Web server, 22 to 23 databases, 22 overview, 22 home directory, 34 horizontal clustering, 165 host name, LDAP/MSAD, 76 HP-UX
204
Index D
versions supported, 24 HTTPS, enabling for WebLogic version 8.1, 53 Hub, uninstalling, 58 Hyperion Configuration Utility. See Configuration Utility Hyperion Home, 36 Hyperion Hub, uninstalling, 58 Hyperion License Server, 12 Hyperion product, default port numbers, 27 Hyperion Remote Authentication Module, 81 Hyperion security platform, about, 16 HYPERION_HOME environment variable, 36
Java Virtual Machine (JVM) determining the system properties in, 201 JDBC drivers, installing, 13
L
LDAP adding or configuring the provider, 75 Base DN, 76 host name, 76 port number, 76 provider configuration name, 75 LDAP deployment scenario, 110, 114 to 115, 117 License Server, 12 Linux versions supported, 24 load balancing about, 165 defined, 165 hardware, 166 software, 167 logging levels configuring the preferred logging priority, 87 setting for Shared Services, 196 setting for the OpenLDAP database, 197 login attribute, 89 login, expiration setting, 87 logs configuration files, 196 list of Shared Services log files, 197 setting messages to debug, 196
I
IBM DB2 databases versions supported, 24 IBM WebSphere application server configuring for Shared Services, 123 requirements, 26 versions supported, 14, 23 to 24 identity, defined, 64 import/export utility (provisioning data), 15 importing provisioning data, 15 info, logging level, 87 install setup program, 33 installation hardware requirements, 22 JDBC drivers, 13 location, 34 overview, 11 planning, 21 post installation tasks, 40 running silent, 39 setup program, 33 software requirements, 22 to 23 uninstalling, 58 wizard, 33 installation checklist, 17 installing Shared Services, 31
M
mail server, configuring, 46 managed server, defined, 164 manual configuration of CSS.xml file, 88 maximum result-set size from query of LDAP/MSAD, 79 from query of NTLM, 82 maxSize property (LDAP/MSAD), 79 maxSize property (NTLM), 82 memory requirements relational database, 22 Shared Services, 22 messages, configuring, 87
J
Java application server requirements, 23 Java database connectivity (JDBC) driver requirements, 23 Java Development Kit (JDK), 34 Java script, enabling, 23
Index I
205
Microsoft Active Directory adding or configuring the provider, 75 provider configuration name, 75 Microsoft SQL Server databases version supported, 24 MySQL databases version supported, 24 MySQL service, 35
P
passwords and trust settings (LDAP/Active Directory), 77 and trust settings (NTLM), 82 planning installations, 21 port numbers about default, 27 default for Remote Method Invocation (RMI) servers, 28 LDAP/MSAD, 76 post installation tasks, 40 privileges required for Oracle databases, 25 processor requirements, 22 properties not available in Shared Services, 88 property element for MSAD referrals support, 94 provider deleting, 95 provider configuration name (LDAP/MSAD), 75 provider configuration name (NTLM), 80 provisioning data exporting, 15 importing, 15 proxy plug-in, using, 167
N
nameAttribute property, 93 Netegrity SiteMinder, 63 Network File System (NFS) protocol, 26 NFS protocol, 26 node agent, defined, 164 node, defined, 164 NT LAN Manager adding or configuring the provider, 80 configuration pre-requisites, 69 domain specification, 81 provider configuration name, 80 Remote Authentication Module, 81 required user rights, 69 NT LAN Manager deployment scenario, 112 to 115, 118 to 119
O
object-class entries for LDAP/MSAD groups, 93 for LDAP/MSAD users, 92 OpenLDAP database and NFS, 26 backing up, 188 exporting, 15 recovery, 201 setting log levels for, 197 setting up SSL on, 98 synchronizing with the relational database, 201 OpenLDAP environment, replicating, 183 OpenLDAP service, 35 OpenLDAP startup commands, 198 Oracle application server configuring for Shared Services, 153 software requirements, 23 to 24 version supported, 14
R
recovering OpenLDAP database, 201 Shared Services data, 187 referrals, Active Directory, 94 relational databases backing up, 188 recovering data, 189 software requirements, 24 supported, 13 synchronizing with the OpenLDAP database, 201 relational server requirements, 22 Remote Authentication Module deployment scenario, 119 specifying a location, 81 Remote Method Invocation (RMI) servers, default port numbers for, 28
206
Index N
requirements browsers, 22 databases, 22 disk space, 22 hardware, 22 memory relational database, 22 Shared Services, 22 relational server, 22 Shared Services server, 22 Shared Services software, 23 software, 22 to 23 Web server, 22 RESOURCE privilege, 25 results setting maximum size (LDAP/MSAD), 79 setting maximum size (NTLM), 82
components, 12 configuring BEA WebLogic application server, 141 to 142 configuring for external authentication, 73 configuring IBM WebSphere application servers, 123 configuring Oracle application server, 153 custom installation, 35 debugging, 196 default port numbers, 27 documentation, 15 folders/files installed, 35 installation checklist, 17 installation location, 34 installation sequence, 17 introduction, 12 location of files, 34 log configuration files, 196 log files, 197 reconfiguring, 54 running silent installations, 39 server components, 12 server requirements, 22 setting up on multiple servers, 28 setting up using clustering, 163 software requirements, 23 starting, 50 stopping, 52 supported application servers, 13 supported databases, 13 typical installation, 35 uninstalling, 58 upgrading, 32 user management, 16 utilities for troubleshooting, 200 Shared Services data, backup and recovery, 187 Shared Services databases, about, 188 Shared Services installation, overview, 11 Shared Services mail server, 46 Shared Services models, debugging, 196 Shared Services taskflows, debugging, 196 Shared Services User Management Console accessing, 202 debugging, 196 SharedServices_Admin.log file, 197 SharedServices_Metadata.log file, 197
S
sample configurations, 191 SAP adding or configuring the provider, 83 prerequisites, 84 single sign-on and, 83 users, roles, and activity groups, 86 search order for providers, setting, 86 Secure Sockets Layer (SSL) enabling, 79, 97 setting up on OpenLDAP, 98 setting up on Tomcat, 99 security agent about, 63 defined, 64 SSL, 97 security platform about, 16 defined, 64 security, about, 16 services installed with Shared Services, 35 session timeout, Weblogic on HP-UX, 54 setup program, 33 Shared Services about, 12 backing up, 188
Index S
207
SharedServices_Security.log file, 197 SharedServices_Security_Client.log file, 197 SharedServices_SyncOpenLDAP.log file, 197 SharedServices_Taskflow.log file, 197 SharedServices_Taskflow_CMDExecute.log file, 197 SharedServices_Taskflow_Optimize.log file, 197 shutdown commands for Shared Services server, 52 port numbers, 27 shutting down Shared Services, 52 silent installations, running, 39 single sign-on defined, 64 overview, 61 SiteMinder and trust settings, 78 deployment scenario, 120 using, 63 snAttribute property, 91 software load balancer using, 167 software requirements overview, 22 Shared Services, 22 summary, 23 Solaris versions supported, 24 SQL Server databases version supported, 24 SSL enabling, 79, 97 port numbers, 27 setting up on OpenLDAP, 98 setting up on Tomcat, 99 starting Shared Services, 50 startup commands for OpenLDAP, 198 for Shared Services server, 50 port numbers, 27 verifying, 51 stopping Shared Services, 52 surname attribute, 91
T
timeout, for an authentication token, 87 timeout, WebLogic on HP-UX, 54 tokens about, 62 and trust settings (LDAP/Active Directory), 77 and trust settings (NTLM), 82 defined, 64 timeout, 87 Tomcat application server setting up SSL on, 99 version supported, 13 trust setting LDAP/Active Directory, 77 NT LAN Manager, 82 typical installation, 35
U
uninstalling Shared Services, 58 upgrading Shared Services, 32 URL for CSS.xml file, 200 of LDAP/MSAD provider, 76 user account, default for connecting to a directory, 76 User DN and Password, 76 user entries, uniquely identifying in LDAP/MSAD, 89 user list maximum size of (LDAP/MSAD), 79 maximum size of (NTLM), 82 user management about, 16 introduction, 61 User Management Console about, 15 accessing, 202 launching URL
208
Index T
for troubleshooting Shared Services, 200 sync OpenLDAP, 201 to validate classpaths, 201
V
validating classpaths, 201 verifying startup, 51 vertical clustering, 165
W
warn, logging level, 87 Web access management solutions, using, 63 Web application servers, supported versions, 13 Web server, hardware requirements, 22 to 23 WebLogic application server clustering, 175 configuring for Shared Services, 141 to 142 default session timeout, 54 enabling HTTPS for version 8.1, 53 requirements, 26 versions supported, 14 WebSphere application server clustering version 5.1.1, 167 configuring for Shared Services, 123 requirements, 26 versions supported, 14 Windows versions supported, 24 Windows services installed with Shared Services, 35 starting, 50 wizard, installation, 33
X
XML sample configurations, 191
Index V
209
210
Index X
Index X
211
212
Index X