The simplest and thankfully most common method for implementing SSL with the EPM Suite is SSL Offloading. Offloading refers to moving the SSL Certificates to a Load Balancer. This is a physical device that is used for load balancing network traffic to the EPM System. Offloading requires no SSL specific configurations within the EPMS Suite. Placing the SSL Certificates on a physical device also eliminates any performance concerns that can sometime arise from the use of SSL. It also simplifies maintenance associated with SSL Certificates within an organization by keeping all SSL Certificates in a single location.
The second option, SSL Terminated at the Web Server is more involved, however still fairly straight forward. By default most of the EPM System web components are accessed through OHS (Oracle HTTP Server) through redirects within the OHS configuration. Oracle is working to integrate the remaining components into OHS. The few that are not currently accessed, FDM for example can be added to the OHS configuration by modeling existing redirects. This creates a single point of entry for all EPMS web applications. SSL Certificates are assigned to the OHS web server and entries are added to the OHS configuration to direct inbound traffic to use SSL (HTTPS). By securing communication between clients and the OHS server(s) using SSL, and blocking direct access to the WebLogic deployed applications through Firewalls or ACLs, the desired SSL configuration is achieved. This configuration allows for non-SSL communication between the OHS web servers and the WebLogic or IIS EPMS web applications. However as all of this communication is server è server, there is much less exposure to security threats. Let’s face it, if someone can trace your backend network traffic you have bigger concerns!
The final option and by far the most complex is using SSL for both client è server communication, as well as backend server è server communication. In addition to securing OHS using SSL, all communication between OHS and the WebLogic and IIS web applications is also secured. This requires creating SSL certificates for each WebLogic server and each IIS web server. The SSL certificates must then be added to the WebLogic and IIS configurations. The EPM System must also be configured to use HTTPS for all internal communication. Given the ‘chattiness’ of the EPMS internal communications using Full SSL can have a significant performance impact. This configuration also adds to the complexity of supporting Oracle EPMS and increases maintenance as SSL Certificates are typically good for 2 years or less.
There are two additional options for using SSL within an EPMS deployment. The first is using SSL between Oracle EPMS Shared Services and the corporate External Authentication Directory, MSAD or LDAP. This is typically not a decision made by the implementation team or project, but is more of a corporate standard. This simply secures communications between the Foundation Server and the Active Directory or LDAP servers within the corporate domain. Traffic between the EPMS Components and their RDBMS server can also be secured through SSL. This is less common and requires more setup on the RDBMS side than with the Oracle EPMS configuration. The connection string given to the EPMS implementation team must contain the correct SSL parameters, and the SSL certificates must be added to the RDBMS clients for each EPMS server.
SSL is becoming more and more common within the Oracle EPMS landscape. If you’re considering implementing SSL with you EPMS deployment, please consider carefully your choices as your decisions will affect more than the initial configuration. Keep in mind other security holes in your environment and how to get the best security for your efforts.
Author Damon Hannah
At CheckPoint Consulting, we put a premium on our ability to size and scale an environment to meet clients’ current and projected needs. Of course, it is not always easy to do that. Frequently we are asked to scale the hardware prior to any design discussions, understanding of transaction or user volume, and often even the products to be used. While it is not an ideal set of circumstances to operate in, it is the most frequent.
Luckily, there is a solution. A key part of any project plan should be testing the hardware in any given environment for scalability. Metrics testing tools are an ideal tool a client can use to accomplish that task. The most common tool in use for this is HP Load Runner. At a high level, this tool allows a team to script test scenarios, and then apply virtual user and transaction volume to a test, to understand where the hardware will 'fall down'.
Of course, as with most things, it is not that simple. In fact one of the common things Load Runner can determine is not just the viability of the architectural design, but also the viability of the application design. If either side of the house is a weak link then something will fail. The nice thing about baking Load Runner into the project plan is that you can head potential problems off at the pass. If an environment needs more servers you can add them, if the application or reports design needs tweaking, they can be revisited. All of these opportunities make Load Runner, or some metric testing, key in an environment.
If you are thinking of using Load Runner or some other tool, here are some high-level 'lessons' to keep in mind to make best use of your time and effort:
Oracle has documented a method by which to keep the WebLogic server from listening automatically on all NICs. Determine which NIC is the "primary" for the server, then look up the IP address or DNS name assigned to the server. For long-term ease-of-maintenance, it is recommended to use the fully-qualified server name that resolves to the IP of the "primary" NIC. If you have a distributed installation, find this information for each server in the environment which will have WebLogic applications deployed.
Start the WebLogic Administration server service, "Lock and Edit" the configuration, and modify the value of the "Listen Address" field for each application listed. For example, a single server deployment may have several WL app names like FoundationServices0, RAFramework0, etc. In a distributed installation, you may have RAFramework1 or FinancialReporting2 as possible names. Change the Listen Address to the fully-qualified name assigned to the primary NIC for the server in question. When done, save the configuration and exit. The next time you restart your WebLogic services, your netstat output will show you are now only listening on the "primary" NIC you specified earlier.
Author, Robert Spelman
After a year-long blogging hiatus, it’s good to be back sharing what I hear from clients about EPM.
And I’m happy to report I’m now with CheckPoint Consulting. I’ve worked with many of the leaders and consultants at CheckPoint over the years – and couldn’t resist joining forces with them any longer!
Enterprise Performance Management helps you focus on the right things. And it’s not just about ‘measuring what matters.’ It includes ‘planning what matters,’ ‘analyzing what matters,’ and ‘modeling what matters.’ So how do you determine what matters? Here are a few qualities of your data to take a look at when deciding where to focus:
Materiality. Does the data have a material impact on your business? Examples include sales, gross margin, product quality, customer satisfaction, labor expense, and so on. This should come before reporting & planning the small stuff.
Volatility. Does the data change frequently and can it fluctuate wildly? Some commodity prices are highly volatile, while most employee satisfaction survey results aren’t. Where there’s more volatility, there needs to be more scrutiny.
Variance. How does the data compare to what you planned the result to be, and what is your tolerance for that variation? You may have a plus or minus 5% tolerance on overhead expenses, and a 15% tolerance on sales forecast (since sales forecasts are notoriously difficult to reign in, right?). Management by exception means drawing your attention to the biggest variances beyond tolerance.
Reach. Does the data need to be seen by many people in the organization? Data that is seen by more people needs to be more frequent, of higher quality, and tends to impact more business decisions.
Impact. Does that data affect other data in the business? Our travel expense affects our SG&A (Selling, General & Administrative) expense and our Operating Margin. It may also affect end-of-month discretionary spend and even variable compensation (we don’t get our bonus if we exceed expense budgets for example). Don’t underestimate the impact of some of those key planning drivers.
Alignment. Does that data you’re measuring align with your overall strategic and operational objectives? Are you focused on those things that help close the gap between strategy & execution?
I’m looking forward to hearing from you and how you determine what to focus on.