Download pdf - Hyperion® System™ 9 Shared Services ... - Oracle · Shared Services and Hyperion System 9 product migration to the unique identity attribute can take considerable time, depending

H Y P E R I O N ® S Y S T E M ™ 9 S H A R E D S E R V I C E S

R E L E A S E 9 . 2 . 0 . 3

D O C U M E N T A T I O N A D D E N D U M

P / N : D H 9 8 7 9 2 0 3 0

Copyright 2005–2007 Hyperion Solutions Corporation.All rights reserved.

“Hyperion,” the Hyperion logo, and Hyperion’s product names are trademarks of Hyperion. References to othercompanies and their products use trademarks owned by the respective companies and are for reference purpose only.

No portion hereof may be reproduced or transmitted in any form or by any means, electronic or mechanical, includingphotocopying, recording, or information storage and retrieval systems, for any purpose other than the recipient’s personaluse, without the express written permission of Hyperion.

The information contained herein is subject to change without notice. Hyperion shall not be liable for errors containedherein or consequential damages in connection with the furnishing, performance, or use hereof.

Any Hyperion software described herein is licensed exclusively subject to the conditions set forth in the Hyperion licenseagreement.

Use, duplication or disclosure by the U.S. Government is subject to restrictions set forth in the applicable Hyperion licenseagreement and as provided in DFARS 227.7202-1(a) and 227.7202-3(a) (1995), DFARS 252.227-7013(c)(1)(ii) (Oct 1988),FAR 12.212(a) (1995), FAR 52.227-19, or FAR 52.227-14, as applicable.

Hyperion Solutions Corporation5450 Great America ParkwaySanta Clara, CA 95051

Printed in the U.S.A.

Contents

Chapter 1. New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Support for User and Group Move Across OUs in User Directories . . . . . . . . . . . . . . . . . . 5

Performance Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Connection Pooling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Turning Off Group Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Using a Group URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Using Group Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Improved Analytic Services and Planning Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Common Location for Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Ability to Change Log Level Without Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Change OpenLDAP root User Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Use of Special Characters in User Directory Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 2. Instructions for Using New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Planning the Migration to the Unique Identity Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Back Up OpenLDAP and Hyperion System 9 Product Repositories . . . . . . . . . . . . . . . 9

Migration Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Behavior During Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Important Considerations When Using the Unique Identity Attribute . . . . . . . . . . . . 10

Changes to the Configure Provider Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Migrating Shared Services Users and Groups to Support Inter-OU Move . . . . . . . . . . . . . 12

Updating User Directory Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Using the Update Native Directory Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Installing the Update Native Directory Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Running the Update Native Directory Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Updating OpenLDAP root User Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Common Hyperion System 9 Log Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Defining Connection Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Using Special Characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Product-Specific Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Analytic Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Managing ID Attribute Migration in Analytic Services . . . . . . . . . . . . . . . . . . . . . 21

Contents iii

MaxL Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Financial Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

BI+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Strategic Finance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Shared Services Log Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

User and Group URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Import/Export Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

BI+ Product Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Using Secure Socket Layer Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Chapter 3. Defects Fixed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

iv Contents

1New Features

In This Chapter

Support for User and Group Move Across OUs in User Directories.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Performance Improvements.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Improved Analytic Services and Planning Integration ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Common Location for Log Files .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Ability to Change Log Level Without Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Change OpenLDAP root User Password... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Use of Special Characters in User Directory Settings... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Support for User and Group Move Across OUs in User DirectoriesOpenLDAP (Native Directory) maintains a link to provisioned users and groups defined inexternal user directories. When the following actions take place in an MSAD or LDAP-baseduser directory, these links are broken, creating stale data in OpenLDAP and causing loss of accessto Hyperion applications.

l Users and groups are moved across OUs.

l Multiple users or groups are assigned identical common name (CN).

l CN of provisioned users or groups are modified.

Hyperion® System™ 9 Shared Services™ resolves this issue with a user directory attribute thatuniquely identifies users and groups without reference to the location of their accounts. Thisidentity contains an attribute that can locate the user and group uniquely in the directory; itdoes not contain location information. Implementation of this identity has resulted in changesto the External Authentication Configuration Console screens used to configure MicrosoftActive Directory (MSAD) and LDAP-based user directories.

Support for inter-OU moves can be implemented while you configure external user directoriesor with the Update Native Directory Utility, which is created to resolve the inter-OU moveproblem. For more information, see:

l “Planning the Migration to the Unique Identity Attribute” on page 9

l “Updating User Directory Configuration” on page 13

l “Using the Update Native Directory Utility” on page 14

Support for User and Group Move Across OUs in User Directories 5

Note:

This update affects only MSAD and other LDAP-enabled user directories.

For product-specific information related, see:

l “Migrating Shared Services Users and Groups to Support Inter-OU Move” on page 12

l “Analytic Services” on page 21

l “Planning” on page 23

l “Financial Management” on page 23

l “BI+” on page 24

l “Strategic Finance ” on page 25

Performance ImprovementsThis release of Shared Services provides improved performance by implementing the following:

l “Connection Pooling” on page 6

l “Using a Group URL” on page 6

l “Using Group Filters” on page 7

Connection PoolingPrevious releases of Hyperion® System™ 9 products created connection threads to external userdirectories on a need-to-use basis. To improve performance, Shared Services 9.2.0.3 introducesconnection pooling where user directory connections use a common connection pool.

For instructions to use this feature, see “Defining Connection Pools” on page 17.

Turning Off Group SupportThis release allows you to turn off searches for groups if your organization does not requireprovisioning using groups from external user directories. Groups from OpenLDAP (NativeDirectory) can still be provisioned even if search for groups from external user directories isturned off.

For instructions to use this feature, see “Changes to the Configure Provider Screen” on page11.

Using a Group URLWhile configuring external user directories, you can specify an optional group URL thatidentifies the lowest user directory node under which all groups that will be provisioned toHyperion System 9 application roles are available.

6 New Features

Shared Services tests the group URL that you specify to verify that only a manageable numberof groups is available under the group URL. It displays a warning message if the group URLcauses Shared Services to retrieve more than 10,0000 groups, which may degrade performance.

For instructions to use this feature, see “Changes to the Configure Provider Screen” on page11.

Using Group FiltersWhile configuring external user directories, you can specify optional group filters. SharedServices uses group filters to retrieve only matching groups from those available within the groupURL, which identifies the user directory location where groups are available. If all the groupswithin the group URL are not used by Hyperion System 9 applications, you can use group filtersto retrieve only the provisioned groups. Using group filters improves performance.

The group filter is an LDAP query. For example, the query (cn=hyp*) retrieves all groups whosename start with the pattern Hyp from within the group URL.

See “Changes to the Configure Provider Screen” on page 11.

Improved Analytic Services and Planning IntegrationHyperion® System™ 9 BI+™ Analytic Services™ and Hyperion® System™ 9 Planning™ use thesync operation to synchronize users between Hyperion System 9 security and Analytic Servicesand Planning security. The sync operation has been redesigned to perform better.

Common Location for Log FilesLog files belonging to Hyperion products are stored in <Hyperion_Home>/logs, allowingadministrators to easily locate log files to monitor the applications and troubleshoot issues.

Product log files are created in a product-specific folder. For example, Shared Services logs arein <Hyperion_Home>/logs/SharedServices9.

Note:

Existing log files are not moved to the new location.

See “Common Hyperion System 9 Log Location” on page 17.

Ability to Change Log Level Without RestartAdministrators can change the log level for Shared Services on-the-fly to capture relevantinformation to debug Shared Services issues. Previous releases required that the Shared Servicesapplication server be restarted to activate changes to the log level.

Improved Analytic Services and Planning Integration 7

See Hyperion System 9 Shared Services Installation Guide for information on changing the loglevel. See “Documentation Updates” on page 25 for updates on supported log levels.

Change OpenLDAP root User PasswordShared Services Administrators can change the password of the OpenLDAP root user account,which provides complete control over OpenLDAP. The default root password is hard-codedin a file and is not visible to users.

See “Updating OpenLDAP root User Password” on page 16.

Use of Special Characters in User Directory SettingsMSAD and other LDAP-enabled user directories allow special characters in entities such as DNs,user names, roles, and group names. Support for special characters in user directoryconfiguration settings is upgraded.

Generally, you must use escape characters while specifying any special character used in userdirectory settings; for example, user and group URLs and Base DN.

See “Using Special Characters” on page 19 for details.

8 New Features

2Instructions for Using New

Features

In This Chapter

Planning the Migration to the Unique Identity Attribute ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Changes to the Configure Provider Screen ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Migrating Shared Services Users and Groups to Support Inter-OU Move... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Updating OpenLDAP root User Password ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Common Hyperion System 9 Log Location ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Defining Connection Pools .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Using Special Characters.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Product-Specific Updates ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Documentation Updates ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Planning the Migration to the Unique Identity AttributeYou must migrate users and groups to the new unique identity attribute only if you face any ofthe following scenarios in your MSAD or LDAP-based user directories, which create brokenlinks and stale data in OpenLDAP.

l You moved users and groups across OUs.

l You have multiple users or groups with identical common name (CN).

l You modified the CN of users or groups.

Because migrating to the new unique identity attribute affects all Hyperion System 9 products,plan the migration to minimize application downtime.

Back Up OpenLDAP and Hyperion System 9 ProductRepositoriesAfter migrating users and groups to use the new identity attribute, you cannot revert to thepreviously used identity attribute. Before starting the migration, create backups of OpenLDAPdatabase and the Hyperion System 9 product databases that store user and group information.

l OpenLDAP repository

l Shared Services repository

l Analytic Services (security file)

Planning the Migration to the Unique Identity Attribute 9

l Planning repository

l Hyperion® System™ 9 Financial Management™ repository

l Hyperion® System™ 9 BI+™ repository

Migration SequenceFirst, you must migrate Shared Services users and groups to the new identity attribute. If youuse Analytic Services and Planning, migrate Analytic Services users and groups, and then migratePlanning users and groups.

You can migrate Financial Management and BI+ users and groups anytime after migratingShared Services users and groups. For detailed procedures, see:

l “Migrating Shared Services Users and Groups to Support Inter-OU Move” on page 12





Behavior During MigrationAfter you migrate Shared Services users and groups to the unique identity attribute, HyperionSystem 9 products stop working until the user and group information contained in product-specific repositories is updated to reflect the unique identity attribute.

Shared Services and Hyperion System 9 product migration to the unique identity attribute cantake considerable time, depending on the number of users and groups involved. BecauseHyperion System 9 products will not be available during this time, Hyperion recommends thatyou schedule in a way that minimizes downtime.

Important Considerations When Using the Unique IdentityAttributel The unique identity attribute can be set only for MSAD and other LDAP-enabled user

directories.

l For migration to work, all similar user directories configured on Shared Services must bemigrated to the new unique identity attribute. All MSAD user directory configurations mustbe updated with the unique identity attribute before Shared Services can migrate MSADusers and groups to the new attribute. Similarly, the configuration of all LDAP-enabled userdirectories other than MSAD (SunONE, IBM Directory Server, Novell eDirectory, andcustom user directories) must be updated to the new identity attribute before Shared Servicescan migrate users and groups from these user directories to the new attribute.

For example, assume that three MSAD user directories are configured on Shared Services.Two are configured to use the new identity attribute ObjectGUID, and the third is

10 Instructions for Using New Features

configured to use the old identity attribute (DN). In this scenario, users and groups are notmigrated until the third configuration also uses a unique attribute other than DN.

l Reverse migration is not supported. After migrating to the new unique identity attribute,you cannot return to the previous identity attribute (DN).

Hyperion recommends that you back up OpenLDAP database before migrating to the newunique identity attribute. If you return to DN as the identity attribute, you can restore datafrom the backup.

l After migrating to a unique identity attribute other than DN, you cannot upgrade to SharedServices Version 9.3.0.x. In this scenario, you must upgrade to Shared Services Version 9.3.1.

l Do not migrate to the unique identity attribute by using the Update Native Directory Utilityif you changed the attribute identified as loginAttribute (using the Configure LDAP/MSAD Provider screen or by editing CSS.xml). If you run the utility, provisioning data ofthe users whose accounts are defined on the user directory for which theloginAttribute is changed is deleted from OpenLDAP. You cannot recover the deleteddata; however, you can restore it from the latest backup.

Changes to the Configure Provider ScreenThe following fields have been introduced in the Configure Provider screen in ExternalAuthentication Configuration Console to support the new features introduced in Release 9.2.0.3.

l Directory Server

l ID Attribute

l Name

l Support Groups

l Group URL

l Group Filter

See Hyperion System 9 Shared Services Installation Guide for detailed information on configuringuser directories.

Table 1 New Fields in Configure Provider Screen

Feature Field Description

User and group moves across OUs Directory Server The user directory product you are using. Select Other ifyou are using an LDAP Version 2 (and later) product otherthan those listed.

ID Attribute Contains the user's identity. The value must uniquelyidentify a user in the user directory.

The ID Attribute is automatically set for SunOne(nsuniqueid), IBM Directory Server (Ibm-entryUuid),Novell eDirectory (GUID), and MSAD (ObjectGUID). Youmay change the default value, if necessary.

Changes to the Configure Provider Screen 11

Feature Field Description

See “Important Considerations When Using the UniqueIdentity Attribute” on page 10.

Turn off group support Support Group Deselect this option if you do not plan to provision groupsor if users are not categorized into groups on the userdirectory. Deselecting this option disables the Group URLfield.

Use of Group URL Group URL If you support groups, specify the Group URL (for example,ou=Hyp_groups,ou=sales,dc=example,dc=com) that identifies thelowest user directory node where all the groups that youplan to provision are available.

The Group URL has a significant impact on login and searchperformance. Because it is the starting point for all groupsearches, you must identify the lowest possible node withinwhich all groups for Hyperion System 9 applications areavailable. To ensure optimum performance, the number ofgroups present within the Group URL should not exceed10,000. If more groups are present, use an appropriategroup filter to retrieve only the groups you want to provision.

Note: Shared Services displays a warning if the number ofavailable groups within the Group URL exceeds 10,000.

Use of group filter Group Filter Enter an LDAP query that retrieves only the groups that areto be provisioned with Hyperion System 9 roles. Forexample, the LDAP query (cn=Hyp*) retrieves only groupswhose names start with the prefix Hyp.

The group filter is used to limit the number of groupsreturned during a query. Group filters are especiallyimportant if the node identified by the Group URL containsgroups that need not be provisioned. Filters can be designedto exclude the groups that are not to be provisioned, therebyimproving performance.

Migrating Shared Services Users and Groups to Support Inter-OU Move

Before starting migration, review the information in “Important Considerations When Usingthe Unique Identity Attribute” on page 10.

The following methods enable you to migrate Shared Services users and groups to the uniqueidentity attribute to support inter-OU move of users and groups.

l “Updating User Directory Configuration” on page 13

l “Using the Update Native Directory Utility” on page 14


Updating User Directory ConfigurationUse this procedure in conjunction with those in Hyperion System 9 Shared Services InstallationGuide to update your user directory configuration to support inter-OU move of users andgroups.

ä To configure MSAD and LDAP-based user directories to support inter-OU move:

1 Log on to the External Authentication Configuration Console as a user with Shared Services Administratorrole.

2 From Defined Providers, select the user directory configuration to modify.

3 Click Edit.

Depending on the selected configuration, the Configure MSAD Provider or Configure LDAPProvider screen opens. This screen contains new fields that are discussed in Table 1 on page11. Only the value of the fields that existed in earlier versions are displayed on this screen. Thisprocedure discusses the new fields only. See Hyperion System 9 Shared Services InstallationGuide for information on existing fields.

4 In Directory Server, select the user directory product you are using. Select Other if you are using an LDAPVersion 2 (and later) product other than those listed. ID Attribute value changes to the recommended uniqueidentity attribute for the selected provider.

5 Optional: If you do not plan to provision groups or if users are not categorized into groups on the userdirectory, deselect Support Groups. Deselecting Support Groups disables Group URL.

6 If you support groups, in Group URL, enter the URL (for example, ou=Hyp_groups,ou=sales,dc=example,dc=com) of the lowest user directory node where all the groups that you planto provision are available.

Shared Services displays a warning if the number of available groups within the Group URLexceeds 10,000.

Note:

The Group URL has a significant affect on login and search performance. Because it is the startingpoint for all group searches, you must identify the lowest possible node within which all groupsfor Hyperion System 9 applications are available. To ensure optimum performance, the numberof groups present within the Group URL should not exceed 10,000. If more groups are present,use an appropriate group filter to retrieve only the groups you want to provision.

7 Optional: In Group Filter, enter an LDAP query that can decrease the processing load by targeting only asubset of the groups available within the group URL. Hyperion recommends that this query be defined tosearch for only the groups that are provisioned with Hyperion System 9 roles. For example, the LDAP query(cn=Hyp*) retrieves only groups whose names start with the prefix Hyp.

The group filter limits the number of groups returned by a query.

Note:

By default, a group search retrieves all the groups within the group URL. This behavior isacceptable if all the groups are to be provisioned with Hyperion System 9 roles or if only a few

Migrating Shared Services Users and Groups to Support Inter-OU Move 13

groups are available within the group URL. In deployments where a large number of groups arepresent within the group URL, use the group filter to improve performance.

8 In ID Attribute, enter an attribute that carries the identity of the user. The recommended value of this attribute,which must uniquely identify a user in the user directory, is automatically set for SunOne (nsuniqueid),IBM Directory Server (Ibm-entryUuid), Novell eDirectory (GUID), and MSAD (ObjectGUID). You maychange the default value, if necessary.

9 Enter information in the remaining fields. See Hyperion System 9 Shared Services Installation Guide fordetailed information.

10 Click Save.

11 Restart Shared Services. When Shared Services restarts, the user and group information in OpenLDAP isautomatically migrated to use the unique identity attribute that you specified in ID Attribute.

Note:

After migrating user and group information in OpenLDAP, you must migrate user and groupinformation in Hyperion System 9 product repositories. See “Product-Specific Updates” on page21 for detailed procedures.

Using the Update Native Directory UtilityChanges to users and groups in an external user directory that is configured with Shared Serviceslead to stale data within OpenLDAP because the Hyperion security system is not synchronizedto be aware of such changes. To resolve this issue, Hyperion uses a unique identity attribute. See“Support for User and Group Move Across OUs in User Directories” on page 5.

You may use the Update Native Directory Utility to migrate OpenLDAP user and group data touse the unique identity attribute.

Note:

Hyperion recommends that you use the External Authentication Configuration Console tomigrate to the unique identity attribute. See “Updating User Directory Configuration” on page13 for details.

See “Planning the Migration to the Unique Identity Attribute” on page 9.

Update Native Directory Utility performs these actions:

l Deletes the user from OpenLDAP if the user account is not available in the external userdirectory

l Deletes user accounts derived from the external user directory if the user directory isremoved from the Shared Services search order

l Updates OpenLDAP if the user or group in the external user directory is moved from oneOU to another (the OU to which the user or group is moved must be configured in SharedServices)


Update Native Directory Utility does not update OpenLDAP if the external user directorycannot be reached because of configuration or connection problems.

Note:

After migrating user and group information in OpenLDAP, you must migrate the user andgroup information in Hyperion System 9 product repositories. See “Product-SpecificUpdates” on page 21 for detailed procedures.

Installing the Update Native Directory UtilityThe UpdateNativeDir.zip archive containing the Update Native Directory Utility is installedin <Hyperion_Home>/common/utilities/nativedirectoryupdateutility.

ä To install the Update Native Directory Utility:

1 Extract UpdateNativeDir.zip to a convenient location, preferably to <Hyperion_Home>. Thiscreates the updateNativedir folder.

2 Using a text editor, open updateNativedir.bat (Windows) or updateNativedir.sh (UNIX).

a. Verify that JAVA_HOME points to a directory (for example, <Hyperion_Home>/common/JDK/Sun/1.4.2) where Sun JRE 1.4 or later is available.

b. Save and close updateNativedir.

Running the Update Native Directory UtilitySee “Important Considerations When Using the Unique Identity Attribute” on page 10 beforerunning the Update Native Directory Utility.

The Update Native Directory Utility synchronizes the data related to all the external userdirectories included in the search order in CSS.xml.

ä To run the Update Native Directory Utility:

1 Update CSS.xml using step 1 to step 10 in “Updating User Directory Configuration” on page 13.

Caution!

Do not restart Shared Services.

2 Using a command prompt or console window, navigate to the directory where the Update Native DirectoryUtility is installed.

3 Execute the following command:

l updateNativedir <location_of _CSS.XML> (Windows)

l updateNativedir.sh <location_of _CSS.XML> (UNIX)

Where <location_of _CSS.XML> identifies the directory or application server location wherethe CSS.xml configuration file is stored. Methods to specify this location:

Migrating Shared Services Users and Groups to Support Inter-OU Move 15

l As an absolute path; for example, updateNativedir C:\Hyperion\SharedServices\9.2\AppServer\InstalledApps\Tomcat\5.0.28 (Windows) andupdateNativedir /app/Hyperion/SharedServices/9.2/AppServer/

InstalledApps/Tomcat/5.0.28 (UNIX)

l As a file located on the application server; for example, updateNativeDir<SharedServices URL>/framework/getCSSConfigFile, where <SharedServicesURL> is:

m http://AppServer_name:port/interop (non-SSL deployment); for example,updateNativeDir http://myServer:58080/interop/framework/

getCSSConfigFile

m https://AppServer_name:SSL_port/interop (SSL deployment); for example,updateNativeDir https://myServer:58082/interop/framework/

getCSSConfigFile.

The utility lists the user providers specified in the search order and queries whether to continuewith the operation.

4 Enter 1 to continue running the utility and 0 to cancel the operation.

5 Monitor the following log files to verify the progress.

l SyncOpenLDAP-Deleted-<time stamp>.log

l SyncOpenLDAP-Updated-<time stamp>.log

l SyncOpenLDAP-NoAction-<time stamp>.log

These log files are created in the %TEMP%/ or %TMP% directory of the logged in user.

6 Restart Shared Services to refresh the cache so that the updates done by the utility are visible to SharedServices.

Updating OpenLDAP root User Passwordroot, the most powerful OpenLDAP user account, provides complete control over OpenLDAP.The password of the root user account is stored in a file. OpenLDAP does not provide aninterface to change this password. To improve security, Shared Services provides a screen tochange the root password. If you update the password, Shared Services stores an encryptedversion of the password in CSS.xml. The updated password takes effect after you restartOpenLDAP and Shared Services.

Note:

Only a user provisioned with Shared Services Administrator role can change the password ofroot.

ä To update OpenLDAP Root Password:

1 Log on to the External Authentication Configuration Console. See Hyperion System 9 Shared ServicesInstallation Guide for detailed information.


2 From Configuration, select Change Native Directory Password.

3 In Current Password, enter the existing root account password. This field is disabled if the default passwordhas not been changed.

4 In New Password and Confirm Password, enter the new password for root account.

5 Click Save.

6 Restart OpenLDAP by restarting the Hyperion SharedServices9 OpenLDAP Windows service orUNIX process.

7 Restart Shared Services.

Common Hyperion System 9 Log LocationLog files belonging to all Hyperion products are created in <Hyperion_Home>/logs folder.Log files of each product are created in an product-specific folder. For example, Shared Serviceslog files are created in Hyperion_Home>/logs/SharedServices9. Similarly, ConfigurationUtility log files are created in Hyperion_Home>/logs/config and install log files are createdin Hyperion_Home>/logs/install.

Defining Connection PoolsIf you decide to use connection pooling, you can define connection pool for each user directoryconfiguration by editing the CSS.xml configuration file.

ä To define connection pool for a user directory configuration:

1 Using a text editor, open the CSS.xml configuration file. By default, this file is in <HSS_Home>/AppServer/InstalledApps/<AppServer_Name>/<Version_Number>. For example,CSS.xml is in the following directory if Shared Services 9.2.0.3 is deployed on Tomcat application server:

l C:\Hyperion\SharedServices\9.2\AppServer\InstalledApps\Tomcat\5.0.28

(Windows)

l apps/Hyperion/SharedServices/9.2/AppServer/InstalledApps/Tomcat/5.0.

28 (UNIX)

2 In each of the user directory configuration definitions, include a connection pool definition similar to thefollowing:

<connectionPool> <maxSize>100</maxSize> <timeout>90000</timeout> <evictInterval>60</evictInterval> <allowedIdleConnTime>120</allowedIdleConnTime> <growConnections>false</growConnections> </connectionPool>

See Table 2 for an explanation of these attributes.

A sample CSS.xml containing a connection pool definition.

Common Hyperion System 9 Log Location 17

<ldap name="ExampleLDAP"> <trusted>true</trusted> <url>ldap://example:390/dc=example,dc=com</url> <userDN>cn=Directory Manager</userDN> <password>{CSS}haGFq18Y1357xXN2b0u+ZQ==</password> <authType>simple</authType> <connectionPool> <maxSize>100</maxSize> <timeout>90000</timeout> <evictInterval>60</evictInterval> <allowedIdleConnTime>120</allowedIdleConnTime> <growConnections>>false</growConnections> </connectionPool> <user> <url>ou=People</url> </user> <group> <url>ou=Groups</url> </group></ldap>

Table 2 Connection Pool Attributes

Element Attribute Description

<connectionPool> Connection pool definition

<maxSize> Maximum number of connections in the pool. Default is100 for LDAP-enabled directories, including MSAD, and300 for OpenLDAP.

<timeout> Timeout (in milliseconds) to get the connection from thepool. An exception is thrown after this period. Default is300000 milliseconds (5 minutes).

<evictInterval> Optional: The interval (in minutes) for running the evictionprocess to clean up the pool. The eviction process cleansup idle connections that have exceeded theallowedIdleConnTime. Default is 60 minutes.

<allowedIdleConnTime> Optional: The time (in minutes) after which idleconnections in the pool are cleaned up by the evictionprocess. Default is 120 minutes.

<growConnections> This option indicates whether the connection pool cangrow beyond <maxSize>. Default is false. If you do notallow the connection pool to grow, the system throws anerror if a connection is not available within the time set for<timeout>.

3 Verify that each user directory configuration contains a connection pool definition.

4 Optional: Define socket connection timeout for user directories by including the <socketTimeOut>parameter in the OpenLDAP user directory definition. For example, the following setting specifies a sockettimeout of 5 seconds.

<socketTimeOut>60000</socketTimeOut>


Note:

Socket timeout set for OpenLDAP applies to all configured user directories.

Use a high socket timeout value in the following scenarios:

l A large number of users and groups are defined in the user directory.

l The machines that host the user directories are geographically distant from the machine thathosts Shared Services.

l A low bandwidth network connection exists between the machine that hosts Shared Servicesand the machine that hosts the user directory.

A sample OpenLDAP definition containing socket timeout definition:

<native name="Native Directory"> <startupRetryInterval>5</startupRetryInterval> <startupRetryLimit>5</startupRetryLimit> <socketTimeOut>60000</socketTimeOut> <connectionPool> <maxSize>600</maxSize> <timeout>1000</timeout> <growConnections>true</growConnections> </connectionPool></native>

5 Save and close CSS.xml.

6 Restart Shared Services and all Hyperion System 9 products.

Using Special CharactersSome restrictions apply to the use and handling of special characters in LDAP-enabled userdirectories, including MSAD. OpenLDAP and NTLM do not require special handling ofcharacters.

Generally, you must use escape characters while specifying any special character used in userdirectory settings; for example, user and group URLs, role name, and Base DN.

Table 3 Supported Special Characters

Character Name or Meaning Character Name or Meaning

( open parenthesis $ dollar

) close parenthesis + plus

“ quotation mark / slash

' single quotation mark \ backslash

, comma ^ caret

& ampersand ; semicolon

Using Special Characters 19


* asterisk # pound

< less than @ at

> greater than = equal to

Table 4 Special Characters that Should not be Used in Application IDs


, comma ; semicolon

< less than + plus

> greater than = equal to

& ampersand

Table 5 Special Characters that Should not be Used in Application Names

Character Name or Meaning

[ open bracket

] close bracket

( open parenthesis

) close parenthesis

l Special characters are not permitted in the value set for the Login User attribute.

l Asterisks (*) are not supported in user names, group names, user and group URLs, and inthe name of the OU in User DN. They are supported only in role names.

l Attribute values containing a combination of special characters are not supported.

l User and group names cannot contain both a backslash (\) and slash (/). For example, namessuch as test/\user and new\test/user are not supported.

l Space is not supported as a special character in Base DN.

Table 6 Characters that Need not be Escaped


( open parenthesis ' single quote

) close parenthesis / slash

$ dollar # pound

@ at ^ caret

Characters listed in Table 7 require an escape character if you use them in user directory settings(user names, group names, user URLs, group URLs, and User DN).


Table 7 Escape Characters

Special Character Escape Character Sample Setting Escaped Example

comma (,), plus (+), equal to (=), pound (#),backslash (\), quotation mark (“), and semicolon (;)

backslash (\) ou=test<ou

ou=test\ou

ou=test\<ou

ou=test\\ou

less than (<) \< ou=test<ou ou=test\<ou

greater than (>) \> ou=test>ou ou=test\>ou

Product-Specific UpdatesThe following Hyperion System 9 products must perform steps to migrate users and groups tosupport the move OU feature.





l “Strategic Finance ” on page 25

The following Hyperion System 9 products do not need to perform any migration procedures:

l Hyperion® System™ 9 Performance Scorecard™

l Hyperion System 9 Analytic High Availability Services

l Hyperion® System™ 9 BI+™ Analytic Integration Services™

l Hyperion® System™ 9 BI+™ Analytic Provider Services™

l Analytic Deployment Services

Analytic Servicesl “Managing ID Attribute Migration in Analytic Services” on page 21

l “MaxL Changes” on page 22

See “Important Considerations When Using the Unique Identity Attribute” on page 10 beforestarting the migration.

Managing ID Attribute Migration in Analytic ServicesBe sure to upgrade Shared Services to use the identity attribute before upgrading AnalyticServices. See “Support for User and Group Move Across OUs in User Directories” on page 5and “Changes to the Configure Provider Screen” on page 11.

Product-Specific Updates 21

Caution!

Hyperion recommends that you back up Analytic Services security file and the data inOpenLDAP before starting the migration process. After migrating users and groups to use thenew identity attribute, you cannot revert to the previously used identity attribute. To revert,restore user and group data in OpenLDAP and Analytic Services from the backups.

Before starting Analytic Services after the upgrade, edit the IDMIGRATION setting in<Hyperion_Home>\AnalyticServices\bin\essbase.cfg to indicate whether to migrateto the new identity attribute that Shared Services uses.

On starting up, Analytic Services checks essbase.cfg and performs the action indicated bythe IDMIGRATION setting.

IDMIGRATION configuration setting syntax:

IDMIGRATION CHECKANDMIGRATE | NOMIGRATION | FORCEDMIGRATION

Table 8 IDMIGRATION Syntax

Syntax Description

CHECKANDMIGRATE Default option. Checks for identity attributes that have changed in Shared Services andupdates them in Analytic Services security.

NOMIGRATION Makes no changes in Analytic Services security.

FORCEDMIGRATION Updates Analytic Services users and groups without checking whether identity attributes havechanged.

Note:

After migration is completed, the value of IDMIGRATION is changed to NOMIGRATION.

MaxL ChangesThe following MaxL statement sets the level of Shared Services security messaging for AnalyticServices. This statement is valid only when Analytic Services is in Shared Services security mode.

alter system set sss log_level <SSS-MSG-LEVEL>; where <SSS-MSG-LEVEL> is oneof the following:

l DEBUG

l WARN

l ERROR

l INFO

The default log level is WARN.


PlanningSee “Important Considerations When Using the Unique Identity Attribute” on page 10 beforestarting the migration.

Caution!

Hyperion recommends that you back up the user and group data in OpenLDAP and the Planningrepository before starting the migration process. After migrating users and groups to use thenew identity attribute, you cannot revert to the previously used identity attribute. To revert,restore user and group data in OpenLDAP and Planning repository from the backups.

Note:

After upgrading your system, migrate users and groups to the new identity attribute beforeperforming any other operation such as loading security or changing existing security settings.Such changes may be lost during the migration.

Planning stores information about provisioned users and groups in the Planning repository. IfShared Services was upgraded to use the new identity attribute, you must synchronize theinformation in the Planning repository with that in the configured user directories by clickingMigrate Users/Groups . This button is available in Planning when assigning access to data forms,members, or task lists.

Note:

HspUserUpdate utility is no longer used to update users.

Financial ManagementSee “Important Considerations When Using the Unique Identity Attribute” on page 10 beforestarting the migration.

Caution!

Hyperion recommends that you backup the user and group data in OpenLDAP and FinancialManagement before starting the migration process. After migrating users and groups to use thenew identity attribute, you cannot revert to the previously used identity attribute. To revert,restore user and group data in OpenLDAP and Financial Management repository from thebackups.

Financial Management records information about provisioned users and groups in the FinancialManagement repository. If Shared Services was upgraded to use the new identity attribute, youmust synchronize the information in the Financial Management repository with that in theconfigured user directories.

Product-Specific Updates 23

Note:

After upgrading Financial Management, migrate users and groups to the new identity attributebefore performing any other operation such as loading security or changing existing securitysettings. Such changes may be lost during the migration.

Click the Migrate Users button on the Security tab of the Financial Management ConfigurationUtility to synchronize the information in the Financial Management repository with that in theconfigured user directories.

Migrating Financial Management users is a one-time operation that must be completed beforestarting Financial Management after upgrading to Release 9.2.0.3.

BI+See “Important Considerations When Using the Unique Identity Attribute” on page 10 beforestarting the migration.

Caution!

Hyperion recommends that you back up the user and group data in OpenLDAP and BI+ beforestarting the migration process. After migrating users and groups to use the new identity attribute,you cannot revert to the previously used identity attribute. To revert, restore user and groupdata in OpenLDAP and BI+ repository from the backups.

BI+ uses the SyncCSSIdentity_BI utility to synchronize user and group identities stored inits relational database to reflect the identity attribute set in Shared Services. See “Support forUser and Group Move Across OUs in User Directories” on page 5 and “Changes to the ConfigureProvider Screen” on page 11.

Note:

After upgrading BI+, migrate users and groups to the new identity attribute before performingany other operation such as loading security or changing existing security settings. Such changesmay be lost during the migration.

Run the SyncCSSIdentity_BI utility only if Shared Services was upgraded to use the newidentity attribute. Do not run the utility if Shared Services does not use the new identity attributeor if you do not have stale data resulting from inter-OU moves in the user directories. This utilityneeds to be run only once after upgrading Shared Services and BI+.

The SyncCSSIdentity_BI utility is installed in <BIPlus_Home>/syncCSSId. Execute theutility after upgrading BI+ but before starting BI+ services.

See <BIPlus_Home>/syncCSSId/ReadmeSyncCSSId_BI.txt for detailed instructions torun the SyncCSSIdentity_BI utility. Runtime information from the utility is written into<BIPlus_Home>/syncCSSId/BI_Sync.log .


On successfully executing the utility, the value ofConfigurationManager.CSSIdSyncState in V8_PROP_VALUE table in BI+ database is setto 0 (for NO_SYNC). Other possible values for this property are 1 (CHECK_AND_SYNC, which isthe default value) and 2 (FORCE_SYNC).

If the synchronization state in the database is not 0 (NO_SYNC), and the system determines thatidentity synchronization is required, the authentication service writes warning messages toHyperion_Home>/logs/BIPlus/CSSSynchronizer.log. However, BI+ services will runnormally.

Strategic FinanceHyperion® System™ 9 Strategic Finance™ automatically migrates users to the unique identityattribute used by Shared Services to resolve issues where domain name or organizational unitchanges might result in the loss of provisioning and object access information.

Documentation Updatesl “Shared Services Log Levels” on page 25

l “User and Group URLs” on page 25

l “Import/Export Utility” on page 26

Shared Services Log LevelsShared Services supports the following log level settings:

l DEBUG

l WARN

l ERROR

l INFO

Hyperion System 9 Shared Services Installation Guide incorrectly identifies FATAL as a supportedlog level setting.

User and Group URLsWhile configuring external user directories, ensure that you enter user and group URLs exactlyas their value is specified in the user directory. Node names contained in user and group URLsare case-sensitive.

Documentation Updates 25

Import/Export Utility

BI+ Product NameHAVA, the internal product name of BI+, must be used in importexport.properties whenimporting or exporting BI+ roles. Use HAVA-<version> (instead of BI+ -<version>) as thevalue of the producttype attribute. Example,

export.producttype =HAVA-9.2.0.

Using Secure Socket Layer ConnectionsSecure Socket Layer (SSL) support is available for Import/Export Utility to export, import, andvalidate provisioning data. See Hyperion System 9 Shared Services Installation Guide for detailedinformation on Import/Export Utility.

ä To use SSL-enabled connections with Import/Export Utility:

1 Using a text editor, open importexport.properties.

2 Set the value of importexport.ssl_enabled property to true; for example,importexport.ssl_enabled=true. If this property is not listed in Import exportoperations section of the file, add it.

3 Verify that the value of importexport.cmsport indicates the SSL port where Shared Services isavailable.

4 Save and close importexport.properties.


3Defects Fixed

The following issues are addressed in this release:

Note:

Numbers in parentheses are internal reference numbers for Hyperion Solutions.

l The MSAD provider needs to support ObjectGUID as the identity attribute rather than thedistinguished name (DN). If ObjectGUID is supported and the Security Account Managername (sAMAccountName) changes, the same user can still be used. (1-156222547)

l When using Native Directory (OpenLDAP), the User Management Console needs tosupport the display of more than 100 users or groups. (1-343494066, 8-536209890)

l The BI+ Interactive Reporting Web client needs to support processing of non-joined queries.(1-427045660)

l The transaction log files in the OpenLDAP\var\openldap-data directory become largequickly and, if not maintained, could cause the computer to unexpectedly run out of diskspace. Files should be automatically backed up and moved to a different directory.(8-505842531)

l A log4j:WARN error occurs each time Shared Services is started. The logger needs to beinitialized when the very first servlet is loaded so that the logging functionality is availableto all components. (8-507948981)

l When running the BI+ Interactive Reporting Base Service as a Windows service, GlobalService Manager (GSM) needs to continue listening on ports 1800 and 1801 even after aHyperion account logs off the console. (8-509321204)

l Some domains for MSAD are not included when searching for users in User ManagementConsole. (8-510575884)

l Shared Services needs to support security extractions if a provisioned Native Directory(OpenLDAP), NTLM, or MSAD user is deleted. (8-510992786)

l The MSAD provider needs to support product registration if a product has a large numberof groups. The group URL must be configured so that CN=LostAndFound. This limits thenumber of users being searched during product registration. (8-512981497)

l Shared Services needs to support provisioning if there are multiple duplicate CN attributesin the domain. If the CN attributes are the same, then deeper level searches (at the DN level)must be supported. (8-515554164)

27

l If the data stored in Native Directory (OpenLDAP) does not match the data (case-wise)generated by the security API, you may experience login errors and provisioning reportinconsistencies. The data in both places needs to be converted to one case. (8-518242655)

l Shared Services must be able to turn on and off the caching of users and groups at the LDAP/MSAD provider level. (8-520256616)

l Shared Services is allowing a Native Directory (OpenLDAP) group to be added to theAdministration Group field in Financial Management (even though it does not allow usersto perform administration tasks). The Administration Group field should be left blank orset to Everyone. (8-522881010)

l The MSAD provider needs to support circular groups (where a group is a parent AND childof one group). The group URL must be configured so that CN=LostAndFound (or to a validgroup URL that contains no groups). (8-523966595)

l When migrating users to Analytic Services 9.2.x, the Analytic Server freezes whenexternalizing users to Shared Services. (8-529920396)

l The Sync OpenLDAP Utility needs to support user and group names that begin with twoparenthesis (for example, ((user1)testing) or ))userATest). (8-531675503)

l If using a localized product and importing a document, the product needs to append thedate in a localized format. For example, if importing a document using French, the dateappended to the file name must be in a French date format. (8-535599988)

l Shared Services needs to support group membership for multiple users with the same CN.(8-536062659)

l Shared Services needs to support the deprovisioning of users upon deleting them.(8-536185722)

l Shared Services needs to support provisioning on an object if, after provisioning the objectby a user, the user is moved. (8-536186089)

l The Shared Services provisioning report needs to display a scroll bar if the report exceedsthe length of the display area. (8-536421432)

l Shared Services needs to support one connection per single authentication and theauthentication must reuse the same connection instead of opening a new one for the sameauthentication. (8-537414624)

l Shared Services needs to support multiple sync security operations after users who areprovisioned through a group (that is, users are not directly provisioned) are disabled.(8-538195277)

l The provisioning search filter should not send unnecessary calls to the provider, whichresults in poor login performance.

l As a user navigates through User Management Console, Shared Services performsunnecessary searches. (8-541773280)

l For SSL URLs, the server needs to redirect to the original published URL instead of tryingto fetch the content. In other words, the external URLs need to be launched by redirectingto the browser and then letting the browser fetch the content from the external site.(8-543668039)

28 Defects Fixed

l Shared Services need to provide support for the enabledNestedGroup option for LDAP andMSAD. (8-530715096)

l Shared Services must be able to change the logging level dynamically within the userinterface. (8-527330871)

29

30 Defects Fixed