Thursday, May 20, 2021

// // 2 comments

Password Policies and Account Lockout Measure on EPM native 'ADMIN' and External Directory Users

As part of EPM Application audit and security control, most of us would have got this requirement to apply User account lockout measures on all EPM users whenever there is some specified number of consecutive failed login attempts.

Being no exception we too faced this question. Our security team had released following 'Account lockout' requirements to be implemented in EPM:
  • Account lockout after 6 or less consecutive failed login attempts.
  • Re-enable locked account after 30 minutes of lockout.
So we explored the available options in EPM that I have shared below.

We know there are mainly two types of users in EPM system:
  1. Hyperion Shared Services Native users (Admin etc.)
  2. External directory users (Microsoft Active Directory-MSAD, LDAP-enabled user directory, Oracle Internet Directory-OID etc.)
Lets see both one by one.

Hyperion Shared Services Native Directory users (Admin etc.)

There is no inbuilt account lockout and password policies setting for EPM Native Directory users including EPM Shared Services ‘Admin’ account. Therefore EPM Shared services 'Admin' account never gets locked after any number of unsuccessful login attempts (due to the obvious reason that if ADMIN gets locked in EPM then none can unlock it). 

On entering wrong password for EPM native ‘Admin’ account, it keeps throwing following error without being locked:
EPMCSS-00301: Failed to authenticate user. Invalid credentials. Enter valid credentials.

Password Policies and Account Lockout Measure on EPM native 'ADMIN' and External Directory Users

You can mitigate this risk for native 'Admin' user failed login attempts by creating a script or using any log analyzing tool to monitor Framework.log present on all Foundation servers (E:\apps\OracleEPM\Middleware\user_projects\domains\EPMSystem\servers\FoundationServicesN\logs\Framework.log) which records the messages for both successful and failed login attempts made by EPM native 'Admin' user.

External directory users (Microsoft Active Directory-MSAD or an LDAP-enabled user directory such as Oracle Internet Directory-OID)

There is no settings within EPM application (till EPM 11.2 release) which can be used to control password policies and account lockout measures for external directory users. 

For external directory users (MSAD, LDAP, OID etc.), password policies and Account lockout measure on failed login attempts can be enforced and controlled at external directory side setup only. So you can check with your external AD team and define password policies for external AD users to specify how many logon attempts to allow before locking out end users and how they will be unlocked. 

EPM System honors all locks controlled by the password policies for the external user directory. Whatever Account lockout policy is set there by your Active Directory (AD) team, EPM system will simply follow that.


That's all for this post.
I hope this article has helped you. Your suggestions/feedback are most welcome.
Keep learning and Have a great day!!!

Share this post:
Read More

Tuesday, May 18, 2021

// // Leave a Comment

EPM 11.1.2.4: EPMA is not compatible with Google Chrome and Microsoft Edge browsers

To get the context of the issue discussed in this blog, I would suggest you to first read following two posts:

EPM 11.1.2.4: Microsoft Edge and Google Chrome browsers support patching : Part-1
EPM 11.1.2.4: Microsoft Edge and Google Chrome browsers support patching : Part-2

In order to make EPM 11.1.2.4 environment compatible to run on Google Chrome and Microsoft Edge browsers we apply some patches mentioned in the following knowledge article: 


Post patching when we validated our EPM environments, all applications like Workspace, Essbase, HFM, HPCM, DRM, FDMEE are working fine. We haven't faced any showstopper issue/error in these applications as such.

But its important to note here that EPMA is not compatible with Google Chrome and Microsoft Edge browsers. It not like EPMA doesn't work at all on Google Chrome and Microsoft Edge browsers. You may face issue while using few of the EPMA functionalities.

One such issue is when we try to create Import Profile in EPMA Dimension Library (EPMA dimension library--File--Import--Create profile--New Profile--File Properties), there is a blank screen coming in place of "File Properties" page in Chrome and Edge browsers. While the same works fine in Internet Explorer browser. Please notice following screenshots depicting the same:

In Google Chrome and Microsoft Edge browsers (Blank Screen):

EPM 11.1.2.4: EPMA is not compatible with Google Chrome and Microsoft Edge browsers

In Internet Explorer browser (Working):

EPM 11.1.2.4: EPMA is not compatible with Google Chrome and Microsoft Edge browsers

So you can recommend your end users to use IE (Internet Explorer) only for EPMA related work. For other applications, Google Chrome and Microsoft Edge work all fine.

That's all for this post. Please let me know in comment box how the latest browsers support patching goes for you.

That's all for this post.
I hope this article has helped you. Your suggestions/feedback are most welcome.
Keep learning and Have a great day!!!

Share this post:
Read More

Tuesday, April 13, 2021

// // 2 comments

EPM 11.2 : 5 Ways To Find Oracle WebLogic Server Version in EPM 11.2

In this post, we will explore 5 ways to find Oracle WebLogic Server version in EPM (Enterprise Performance Management) 11.2 environment. Knowing your WebLogic Server version comes in handy especially when you are planning to apply latest Oracle patches to make WebLogic servers security-compliant in your EPM 11.2 setup. 

EPM (Enterprise Performance Management) 11.2 by default comes with Oracle WebLogic Server 12c (12.2.1.3). Since in Oracle WebLogic Server 12c, the installation directory structure has changed, the usage of registry.xml / java weblogic.Version is a bit different than 11g release. 

Method-1: Oracle WebLogic Server Administration Console

1-Login to your WebLogic Admin console.

2-In the left hand panel, under 'Domain Structure' menu, navigate to Environment—Servers and click on ‘AdminServer’ from the server list. Now click on the ‘Monitoring’ tab and you will see below screen showing your WebLogic version (WebLogic Server 12.2.1.3.0 as shown below):

5 Ways To Find Oracle WebLogic Server Version in EPM 11.2

Method-2: AdminServer.log

1-On WebLogic Admin server, goto the path: E:\Oracle\Middleware\user_projects\domains\EPMSystem\servers\AdminServer\logs

2-Open AdminServer.log file and search for "Version: WebLogic Server".

3-You will get output like below which will tell you your WebLogic server version (WebLogic Server 12.2.1.3.0 as shown below):

5 Ways To Find Oracle WebLogic Server Version in EPM 11.2

Method-3: registry.xml file

1-On WebLogic Admin server, goto the path E:\Oracle\Middleware\inventory.

2-Open registry.xml file and search for “WebLogic Server”.

3-You will get output like below which will tell you your WebLogic server version (WebLogic Server 12.2.1.3.0 as shown below):

5 Ways To Find Oracle WebLogic Server Version in EPM 11.2

Method-4: java weblogic.version

1-On WebLogic Admin server, open command prompt as an Administrator and goto the following path:
cd E:\Oracle\Middleware\wlserver\server\bin
2-Now run below command to first set environment variables for WebLogic server and then display your WebLogic Server version (WebLogic Server 12.2.1.3.0 as shown below): 
setWLSEnv.cmd
java weblogic.version | findstr "WebLogic Server" 
5 Ways To Find Oracle WebLogic Server Version in EPM 11.2

3-For Linux server, command will be like below:
setWLSEnv.sh 
java weblogic.version | grep "WebLogic Server"

Method-5: viewInventory.cmd

1-On WebLogic Admin server, open command prompt as an Administrator and goto the following path:
cd E:\Oracle\Middleware\oui\bin
2-Now run below command to see your WebLogic Server version (WebLogic Server 12.2.1.3.0 as shown below):
viewInventory.cmd | findstr "Distribution:"
5 Ways To Find Oracle WebLogic Server Version in EPM 11.2

3-For Linux server, command will be like below:
viewInventory.sh | grep "Distribution:"

All the 5 methods are equally applicable to Linux servers as well (with the corresponding change in command/script), in order to find Oracle WebLogic server version.

That's all for this post.
I hope this article has helped you. Your suggestions/feedback are most welcome.
Keep learning and Have a great day!!!

Share this post:
Read More

Friday, April 9, 2021

// // Leave a Comment

EPM 11.2: How to check FDMEE application patch version

Its important to know the current patch version of your EPM (Enterprise Performance Management) products/applications, especially when you are planning to apply any new Oracle patches or want to check the compatibility of existing EPM applications with any other products/software/tools.

For FDMEE (Financial Data Quality Management, Enterprise Edition), you can check its current patch version using following methods:

1. AIF_version.xml (more reliable method):

This is the most reliable method because when you apply any new patch to FDMEE, this is the file which will be updated with the new patch level so it always shows the current version of your FDMEE application.

On FDMEE server, you can find AIF_version.xml file in the following folder:

E:\apps\OracleEPM\Middleware\EPMSystem11R1\products\FinancialDataQuality\xml\AIF_version.xml

When you open this AIF_version.xml file, FDMEE version will be displayed as shown below:

EPM 11.2: How to check FDMEE application/patch version

2. Workspace (Not always the true reflection of the current patch level of EPM products)

To see your EPM products versions in Workspace, navigate to: 

Workspace-->Help-->About Oracle Enterprise Performance Management System Workspace, Fusion Edition

You would have seen on many occasions that the EPM products version number shown in Hyperion Workspace do not match the patch versions that have been recently applied in an EPM environment.

It happens because EPM java web applications versions shown in Workspace are sourced from Shared Services registry (logical web application entry--displayVersion property).

EPM 11.2: How to check FDMEE application/patch version

Further the versions displayed in Shared Services registry are sourced from some property/configuration files of the respective EPM products which get updated immediately after applying any new patches. For example, in case of FDMEE, its is AIF_version.xml file as mentioned in method-1.

Sometimes, applications version shown in Workspace or the displayed version shown in Shared Services registry does not get refreshed from the respective source file of that application. And that's when you see a mismatch in version shown in Workspace and the actual application version. And that's why method-1 is more reliable one to know the FDMEE current patch version.

That's all for this post.

I hope this article has helped you. 
Your suggestions/feedback are most welcome.
Keep learning and Have a great day!!!
Read More

Thursday, March 25, 2021

// // 1 comment

Oracle DRM (Data Relationship Management) Application Logs

To access Oracle DRM (Data Relationship Management) application related activities log, there are two methods:

  1. Auditing Transactions, Jobs, and Requests through DRM Web Client
  2. Extracting DRM (Data Relationship Management) application log from backend DRM application database schema

Auditing Transactions, Jobs, and Requests through DRM (Data Relationship Management) Web Client


Oracle Data Relationship Management records a history of different activities performed within an application for audit purposes. 

  • The transaction history logs all operations performed including changes to version data, application metadata, and user security. 
  • The job history tracks the completion of long running processes such as imports, blenders, and exports. 
  • The request history maintains a record of change requests submitted from external applications.

For further details you can read DRM (Oracle Data Relationship Management) Suite User's Guide.

You can query and view transactions, requests, and job history using the Audit task wizard in DRM Web Client navigating through Home --> Audit as shown below:


Oracle DRM (Data Relationship Management) Application Logs

The audit wizard is used to define the parameters and criteria for the query. The wizard content is organized across Source, Filters, and Columns tabs to guide input. Although the wizard tabs are ordered to gather input in a sequence, you can navigate between any tabs.


Oracle DRM (Data Relationship Management) Application Logs


Extracting DRM (Data Relationship Management) application log from backend DRM application database schema


Extracting DRM Transaction History:

In DRM application database schema, there is a table name RM_TRANSACTION_HISTORY that contains a row for each transactional update made to your DRM repository.


Below is all the columns listed what RM_TRANSACTION_HISTORY table consists of: 

Name                                       Null                     Type            

-------------------------- -------- --------                    ------- 

I_TRANSACTION_ID           NOT NULL         NUMBER(38)      

I_DETAIL_ID                         NOT NULL         NUMBER(38)      

D_TIMESTAMP                                                 TIMESTAMP(6)    

I_SESSION_ID                                                   NUMBER(38)      

C_USER_NAME                    NOT NULL        NVARCHAR2(100)  

C_ACTION                                                         NVARCHAR2(40)   

C_ACTION_LEVEL                                          NVARCHAR2(40)   

C_VERSION_ABBREV                                    NVARCHAR2(255)  

I_VERSION_ID                                                  NUMBER(38)      

C_HIERARCHY_ABBREV                              NVARCHAR2(255)  

I_HIERARCHY_ID                                           NUMBER(38)      

C_NODE_ABBREV                                           NVARCHAR2(255)  

I_NODE_ID                                                       NUMBER(38)      

C_NODE_DESCR                                             NVARCHAR2(255)  

C_PROPERTY_ABBREV                                  NVARCHAR2(255)  

I_PROPERTY_ID                                               NUMBER(38)      

B_LEAF                                     NOT NULL     NUMBER(38)      

C_ACTION_DESCRIPTION                             NVARCHAR2(1024) 

X_FROM_VALUE                                                NCLOB           

C_FROM_ORIGIN                                               NVARCHAR2(1024) 

X_TO_VALUE                                                      NCLOB           

C_TO_ORIGIN                                                     NVARCHAR2(1024) 

I_ORIGINATING_ID                                             NUMBER(38)      

I_ORIGINATING_DETAIL_ID                             NUMBER(38)      

C_OBJECT_NAME                                                NVARCHAR2(255)  

I_DOMAIN_ID                                                       NUMBER(38)      

C_DOMAIN_ABBREV                                          NVARCHAR2(255)  

I_WORKFLOW_REQUEST_ID                              NUMBER(38)      

I_WORKFLOW_REQUEST_ITEM_ID                  NUMBER(38)      

C_NODE_TYPE                                                       NVARCHAR2(255)  


As we see, RM_TRANSACTION_HISTORY columns include: Action (e.g. Add Node, Insert Node, Delete Node, and ChangeProp), Node, Hierarchy, Version and Property Name values as well as Node Description, Leaf flag, to and from Property values for ChangeProp operations.

You can query this RM_TRANSACTION_HISTORY table to extract DRM application related logs for a particular time period.

For example, if you want to extract DRM Application log from 13-Mar-2021 to 19-Mar-2021, run following query:

select * from RM_Transaction_History where D_TIMESTAMP between to_date('2021-03-13 00:00:01', 'YYYY-MM-DD HH24:MI:SS') and to_date('2021-03-19 23:59:59', 'YYYY-MM-DD HH24:MI:SS') order by D_TIMESTAMP;

Output:

Oracle DRM (Data Relationship Management) Application Logs


Note: Its preferable to use SQL Developer to extract DRM application logs from backend schema. Make sure in SQL Developer, you have set the date and time format same as mentioned in above query.

Extracting DRM Job History:

DRM Job history is stored in a table name RM_JOB_HISTORY that consists of following columns:



Oracle DRM (Data Relationship Management) Application Logs

You can query this table RM_JOB_HISTORY to extract all job run details.

For example, if you want to extract DRM Job History log from 13-Mar-2021 to 19-Mar-2021, run following query:

select * from RM_Job_History where D_TIME_STARTED between to_date('2021-03-13 00:00:01', 'YYYY-MM-DD HH24:MI:SS') and to_date('2021-03-19 23:59:59', 'YYYY-MM-DD HH24:MI:SS') order by D_TIME_STARTED;

Output:

Oracle DRM (Data Relationship Management) Application Logs

Extracting DRM Request History:

DRM Request history is stored in a table name RM_REQUEST that consists of following columns:


Oracle DRM (Data Relationship Management) Application Logs

You can query this table RM_REQUEST to extract all change requests submitted from external applications.

select * from RM_REQUEST;

That's all for this post.
I hope this article has helped you.
Your suggestions/feedback are most welcome.
Keep learning and Have a great day!!!

Read More

Sunday, March 7, 2021

// // 2 comments

EPM 11.1.2.4: Microsoft Edge and Google Chrome browsers support patching : Part-2

You may like to read Part-1 first to understand the background of Microsoft Edge and Google Chrome browsers support patching in Hyperion/EPM 11.1.2.4 setup. 

In this post, I will tell how it worked for us. We have recently applied these browsers (Microsoft Edge and Google Chrome) compatibility patches in our EPM/Hyperion 11.1.2.4 environment. 

As discussed in last post, below is what we need to apply in order to make your EPM/Hyperion 11.1.2.4 environment working on Microsoft Edge and Google Chrome browsers:

EPM 11.1.2.4: Microsoft Edge and Google Chrome browsers support patching
Important Notes:
  • Above list provides the minimum patch version for each Hyperion application you need to install, If you want, you can go for higher version too. 
  • I assume your EPM/Hyperion 11.1.2.4 environment is up-to-date in terms of patches and you have all the prerequisite patches already applied.
  • Its recommended to have EPM/Hyperion application schemas backup and if possible, backup of the existing installation/configuration directory to handle unforeseen critical issues.
  • You should apply these patches in below given order. 
  • I have all these Hyperion applications installed and configured on Windows server 2012 R2, therefore below given steps are applicable for Windows machines. For other operating systems, you can refer 'README' document of the respective patch number.
  • Stop all the Hyperion services and WebLogic Admin server of your environment before proceeding further.
Lets start the patching now. 

Hyperion Workspace 11.1.2.4.825 (Patch 31124100)
----------------------------------------------------------------------
This patch needs to be applied on all your EPM Foundation/Workspace servers of the Hyperion environment. 

Download the patch and place it under apps\OracleEPM\Middleware\EPMSystem11R1\OPatch directory.

Open command prompt and apply the patch using below commands:

cd E:\apps\OracleEPM\Middleware\EPMSystem11R1\OPatch 
opatch.bat apply E:\apps\OracleEPM\Middleware\EPMSystem11R1\OPatch\31124100 -oh E:\apps\OracleEPM\Middleware\EPMSystem11R1 -jdk E:\apps\OracleEPM\Middleware\jdk160_35

Hyperion Shared Services 11.1.2.4.100 (Patch 31319089)
-------------------------------------------------------------------------
This patch needs to be applied on all your EPM Foundation/Workspace servers of the Hyperion environment. 

Download the patch and place it under apps\OracleEPM\Middleware\EPMSystem11R1\OPatch directory.

Open command prompt and apply the patch using below commands:

cd E:\apps\OracleEPM\Middleware\EPMSystem11R1\OPatch 
opatch.bat apply E:\apps\OracleEPM\Middleware\EPMSystem11R1\OPatch\31319089 -oh E:\apps\OracleEPM\Middleware\EPMSystem11R1 -jdk E:\apps\OracleEPM\Middleware\jdk160_35

Oracle JDeveloper / Application Development Framework 11.1.1.7.1 (Patch 31246831)
-----------------------------------------------------------------------------------------------------------------
This patch needs to be applied on all your EPM Foundation/Workspace servers of the Hyperion environment. 

After downloading the patch zip file, extract it to C:\Patch_Top. There should now be a 31246831 directory in the C:\Patch_Top directory.

Open command prompt and apply the patch using below commands:

cd E:\apps\OracleEPM\Middleware\oracle_common\OPatch\ 
opatch.bat apply C:\Patch_Top\31246831\oui -oh E:\apps\OracleEPM\Middleware\oracle_common -jre E:\apps\OracleEPM\Middleware\jdk160_35

Hyperion Planning, Hyperion Capital Asset Planning, Hyperion Workforce Planning, Hyperion Project Financial Planning 11.1.2.4.009+ (Patch 29889455)
---------------------------------------------------------------------------
This patch needs to be applied on all your Hyperion Planning application servers and Web servers of the environment. 

Download the patch and place it under apps\OracleEPM\Middleware\EPMSystem11R1\OPatch directory.

Open command prompt and apply the patch using below commands:

cd E:\apps\OracleEPM\Middleware\EPMSystem11R1\OPatch 
opatch.bat apply E:\apps\OracleEPM\Middleware\EPMSystem11R1\OPatch\29889455 -oh E:\apps\OracleEPM\Middleware\EPMSystem11R1 -jdk E:\apps\OracleEPM\Middleware\jdk160_35

Delete the tmp directory for the Planning server in: 

<MIDDLEWARE_HOME>/user_projects/domains/EPMSystem/servers/<server> 
where <server> is the Planning server (for example, Planning0).

The full path for tmp is: <MIDDLEWARE_HOME>/user_projects/domains/EPMSystem/servers/<server>/tmp.

Hyperion Calculation Manager 11.1.2.4.014  (Patch 28557058)
-------------------------------------------------------------------------------
This patch needs to be applied on all your Calculation Manager servers and Web servers of the Hyperion environment. 

Download the patch and place it under apps\OracleEPM\Middleware\EPMSystem11R1\OPatch directory.

Open command prompt and apply the patch using below commands:

cd E:\apps\OracleEPM\Middleware\EPMSystem11R1\OPatch 
opatch.bat apply E:\apps\OracleEPM\Middleware\EPMSystem11R1\OPatch\28557058 -oh E:\apps\OracleEPM\Middleware\EPMSystem11R1 -jdk E:\apps\OracleEPM\Middleware\jdk160_35

On the server where Oracle Hyperion Calculation Manager is installed, delete the cached files in the following directories:

<Middleware_Home>/user_projects/domains/<DOMAIN_NAME>/servers/<CalcMgr0>/tmp 
<Middleware_Home>/user_projects/domains/<DOMAIN_NAME>/servers/<CalcMgr0>/cache

Hyperion Financial Reporting 11.1.2.4.712  (Patch 30670918)
----------------------------------------------------------------------------------
This patch needs to be applied on all your Financial Reporting servers, Web servers and also on HFM application server (if you use HFR for reporting) of the Hyperion environment. 

To apply this patch first Uninstall the Financial Reporting Studio by going to Control Panel, Add or Remove Programs, and then uninstall Financial Reporting Studio. 

On the Financial Reporting server machines, download the patch and place it under apps\OracleEPM\Middleware\EPMSystem11R1\OPatch directory.

Open command prompt and apply the patch using below commands:

cd E:\apps\OracleEPM\Middleware\EPMSystem11R1\OPatch

opatch.bat apply E:\apps\OracleEPM\Middleware\EPMSystem11R1\OPatch\30670918 -oh E:\apps\OracleEPM\Middleware\EPMSystem11R1 -jdk E:\apps\OracleEPM\Middleware\jdk160_35

Delete the Financial Reporting precompiled jsp files located at:
<ORACLE_HOME>\Middleware\user_projects\domains\EPMSystem\precompiled\hr

Use the EPM System configurator to redeploy the Financial Reporting Web Application.  If RA Framework, OHS, or IIS are installed on a separate host, it must be patched also.

In order to run the new Oracle Hyperion Financial Reporting Web Studio, you must enable proxying. I am sure it would have already been enabled in your environment too. If not, kindly refer 'README' document of the patch.

At the end, when you start your EPM services, remember to connect to the EPM Workspace machine on patched Financial Reporting server machine. Download the Financial Reporting Studio installer from the EPM Workspace menu: From the Tools menu, select Install and then select Financial Reporting Studio and then launch the installer. Follow the installation guide to install the Financial Reporting Studio to the location you want.

Hyperion Financial Management PSU 11.1.2.4.209 (Patch 29343616)
----------------------------------------------------------------------------------------
This patch needs to be applied on all your Hyperion Financial Management application servers, HFM Web servers and also on HFR application server (if you use HFR for reporting) of the Hyperion environment.  

Download the patch and place it under apps\OracleEPM\Middleware\EPMSystem11R1\OPatch directory.

Open command prompt and apply the patch using below commands:

cd E:\apps\OracleEPM\Middleware\EPMSystem11R1\OPatch

opatch.bat apply E:\apps\OracleEPM\Middleware\EPMSystem11R1\OPatch\29343616 -oh E:\apps\OracleEPM\Middleware\EPMSystem11R1 -jdk E:\apps\OracleEPM\Middleware\jdk160_35

If you are applying this patch to version 11.1.2.4.208 or an earlier version, also execute the following sql command to upgrade the HFM schema against the Financial Management database. Use appropriate sql as per your database type.

<EPM_ORACLE_HOME>\products\FinancialManagement\Server\conf\<DB Type>_from_11.1.2.4.208_to_11.1.2.4.209_SchemaUpgrade.sql

E:\apps\OracleEPM\Middleware\EPMSystem11R1\products\FinancialManagement\Server\conf\Oracle_from_11.1.2.4.208_to_11.1.2.4.209_SchemaUpgrade.sql

In addition, you must run below by login to HFM schema:

<EPM_ORACLE_HOME>\products\FinancialManagement\Server\conf\Oracle_Create_ImportApp.sql

<EPM_ORACLE_HOME>\products\FinancialManagement\Server\conf\Oracle_Create_InsightDetails.sql

This step is required for 'Importing Application' feature. 

If you are using the extract data to database functionality with Oracle database as the target database, you will need to reconfigure DSN. To reconfigure:
  1. Select Navigate, then Administer, and then Consolidation Administration.
  2. From Admin Tasks, click Configure DSN. 
  3. Select any data source that has Oracle database as database type, and then click on Edit.
  4. Enter the database connection information, including the database server network address as Host.
  5. Click Test Connection. If successful, click on Save.

Hyperion Financial Close Management and Hyperion Tax Governance 11.1.2.4.253+ (Patch 29060830)
Hyperion Tax Provision 11.1.2.4.202+ (Patch 25316913)
---------------------------------------------------------------------------
We don't use these two components in our EPM setup. You can follow README document to apply these patches, if there components are there in your EPM/Hyperion environment.

Hyperion Data Relationship Management 11.1.2.4.350  (Patch 31420887)
---------------------------------------------------------------------------------------------
This patch needs to be applied on all your DRM application server and DRM Web services servers of the Hyperion environment.  

Make sure you have stopped the DRM services. 

Take a backup of DRM schema (Must!) before applying the DRM patch.

Save a backup copy of the drm-config.xml file found under directory
E:\apps\OracleEPM\Middleware\EPMSystem11R1\products\DataRelationshipManagement\server\config

Uninstall the existing 11.1.2.4 release:
a.    Stop the Data Relationship Management service.
b.    Verify all processes are shut down.
c.    Run the installer from that release and choose the Remove option.

Run the new setup.exe to install this patch release.

If a multiple-machine configuration is being used, repeat the uninstall and install steps above for each machine.

When using an Oracle repository and upgrading from a Data Relationship Management release prior to 11.1.2.4.330, run the following statement for the current schema owner for each application to be updated: GRANT CREATE TYPE, CREATE SEQUENCE TO <user>;

In the Configuration Console on the application controller machine, select Application, then 'Apply Updates' for all existing applications.

Make sure to save any configuration changes made in the Data Relationship Management Console. Click on save configuration to do so. 

Redeploy the Data Relationship Management Web service application (oracle-epm-drm-webservices.ear) to Oracle Weblogic. The oracle-epm-drm-webservices.ear file is located in the %EPM_ORACLE_HOME%\products\DataRelationshipManagement\api directory. This step is only required if applying this patch to an installation where the Web service application has been previously deployed. See the “Redeploying a Web Services Application” section in the Oracle® Fusion Middleware Security and Administrator's Guide for Web Services for instructions to redeploy using Oracle Enterprise Manager. 

FDMEE (Hyperion Financial Data Management) Patch Set Update 11.1.2.4.220 (Patch 25312033)
----------------------------------------------------------------------------------------------------------------------
This patch needs to be applied on all your Hyperion Financial Data Management application servers (FDMEE) of the Hyperion environment.  

Download the patch and place it under apps\OracleEPM\Middleware\EPMSystem11R1\OPatch directory.

Open command prompt and apply the patch using below commands:

cd E:\apps\OracleEPM\Middleware\EPMSystem11R1\OPatch

opatch.bat apply E:\apps\OracleEPM\Middleware\EPMSystem11R1\OPatch\25312033 -oh E:\apps\OracleEPM\Middleware\EPMSystem11R1 -jre E:\apps\OracleEPM\Middleware\jdk160_35

Additional Installation Instructions:

1.    Copy the following script files.
For Windows, copy from:
EPM_ORACLE_HOME/FinancialDataQuality/bin/executescript.bat.template 
to:
EPM_INSTANCE_HOME/FinancialDataQuality/executescript.bat

2.    If your deployment is a distributed environment where Hyperion Financial Management and Planning are on different servers than FDMEE, copy the following jar files:

Copy files from the Hyperion Financial Management server folder EPM_ORACLE_HOME\common\hfm\11.1.2.0\lib to the same directory on the FDMEE server.
Copy files from the Planning server on the EPM_ORACLE_HOME\common\planning\11.1.2.0\lib to same directory on the FDMEE server.

3. Now, on the servers where FDMEE is installed, you must delete tmp and cache files in the following directories:

<MIDDLEWARE_HOME>/user_projects/domains/<DOMAIN_NAME>/servers/<MANAGED_SERVER_NAME/tmp/

<MIDDLEWARE_HOME>/user_projects/domains/<DOMAIN_NAME>/servers/<MANAGED_SERVER_NAME/cache

Hyperion Profitability and Cost Management (HPCM) 11.1.2.4.131 (Patch 31159372)
-----------------------------------------------------
This patch needs to be applied on all your Hyperion Profitability and Cost Management (HPCM) of the Hyperion environment. 

Perform a full system backup, including EPM Architect and the Profitability and Cost Management databases. If you have Management Ledger applications, you should back them up using Life Cycle Management (LCM) in Shared Services. 

This patch must automatically re-register your Profitability and Cost Management applications, which will delete native non-Admin user provisioning.  Use Life cycle Management (LCM) in the Shared Services console to export the Native Directory under Foundation, usually located at Foundation => Shared Services => Native Directory, so you can restore it later.  
 1)  From the Shared Services console, open the Application Groups folder.
 2)  Open the Foundation sub-folder and select Shared Services.  
 3)  Export the Native Directory artifact and all content under it.  

You will need the resulting LCM export file later to restore the user provisioning.

Download the patch and place it under apps\OracleEPM\Middleware\EPMSystem11R1\OPatch directory.

Open command prompt and apply the patch using below commands:

cd E:\apps\OracleEPM\Middleware\EPMSystem11R1\OPatch

opatch.bat apply E:\apps\OracleEPM\Middleware\EPMSystem11R1\OPatch\31159372 -oh E:\apps\OracleEPM\Middleware\EPMSystem11R1 -jdk E:\apps\OracleEPM\Middleware\jdk160_35

Clear the WebLogic cache under
E:\apps\OracleEPM\Middleware\user_projects\domains\EPMSystem\servers\Profitability0

When you will start the Profitability service (Hyperion Profitability - Java Web Application) it automatically performs any required database updates after applying a new patch - there is no need to run a manual SQL script.

Invoke Profitability and Cost Management, open an application, and check in the System Information tab under Model Summary to verify that the Schema Version is 11124.153. If instead you get a Schema Version Mismatch error, report this to Oracle Support.  You can also search the hpcm.log file for SQL errors following the first recent occurrence of the string '11124.153'. If you find an error that you can resolve, the database upgrade can be performed manually after resolving the error, to complete the installation (see the Performing Manual Database Updates section below).

From the Shared Services console, import the LCM file you created earlier, to restore the native user provisioning.

Note also that any changes made previously to the hpm_ws_client.properties file to customize either of the web services sample programs will be overwritten by the patch and must be reapplied.

Optional – Performing Manual Database Updates (only when there are errors in the automatic update):
--------------------------------------------------------------------------------------------------------
If errors occurred during the automatic database updates performed during service startup, and you have identified and corrected the problem, you can follow these instructions to complete the required database updates manually.

1.    Shut down the Profitability service (Hyperion Profitability – Web Application).

Run the appropriate database update patch script for your database type.  Run the script from the Profitability and Cost Management product database/schema/user.  Capture the SQL script log output and save it.  If there are any errors, report them to Oracle Support.

Database Type: MS SQL Server 
Database Patch Files: Run the following database update script using Microsoft SQL Server Management Studio against the Profitability and Cost Management product database: <EPM_ORACLE_HOME>\products\Profitability\database\Common\MSSQLServer\create_11.1.2.4.131.sql

Database Type: Oracle
Database Patch Files: Run the following database update script in the Profitability and Cost Management product schema/user using Oracle SQL Developer:<EPM_ORACLE_HOME>\products\Profitability\database\Common\Oracle\create_11.1.2.4.131.sql

2.    Start the Profitability service (Hyperion Profitability - Java Web Application).

3.    Invoke Profitability and Cost Management, open an application, and check in the System Information tab under Model Summary to verify that the Schema Version is 11124.142.  

4.    For each Detailed application, you must re-deploy the Reporting Tables and Views.

5.    Complete any remaining steps you have not performed in the Applying this Patch section above.

Once all the patching steps are completed, do the following:
--------------------------------------------------------------------------------------------
1.    Stop all EPM services.

2.    For each of the following folders, create a backup copy of the folder, then delete all the contained files within the original folders:

apps\OracleEPM\Middleware\user_projects\domains\EPMSystem\servers\FoundationServices$\cache

apps\OracleEPM\Middleware\user_projects\domains\EPMSystem\servers\FoundationServices$\tmp

apps\OracleEPM\Middleware\user_projects\domains\EPMSystem\servers\RaFramework$\cache

apps\OracleEPM\Middleware\user_projects\domains\EPMSystem\servers\RaFramework$\tmp

apps\OracleEPM\Middleware\user_projects\domains\EPMSystem\precompiled\raframework

apps\OracleEPM\Middleware\user_projects\domains\EPMSystem\precompiled\workspace

[NOTE: The value of the above strings will actually be a digit in your environment (e.g., FoundationServices0). Depending on the deployment, the number could be 0, 1, 2, etc.]

3.    You need to clear browser's cache and temporary files on all the client/users machines.

4.    Start all EPM services and WebLogic Admin server of your EPM environment.

5.    Validate the Hyperion applications on Microsoft Edge and Google Chrome 80+ browsers.

Post patching, all EPM applications like Workspace, Essbase, HFM, HPCM, DRM, FDMEE are working fine in our environments (DEV/TEST/PROD). We haven't faced any showstopper issue/error in these applications as such. 

There is one issue observed in EPMA that you can read about in below article:



That's all for this post. 

I hope this article has helped you. 
Your suggestions/feedback are most welcome.

Keep learning and Have a great day!!!
Read More

Wednesday, October 28, 2020

// // 36 comments

ROBOCOPY Backup files over Network paths and ERROR 5 (0x00000005) Copying NTFS Security to Destination Directory-Access denied

As part of the annual EPM DR Rehearsal, we got a requirement to move Prod Application backup files from PROD Network location to DR network path.

In this post, we will see how we can RoboCopy EPM backup files from one Network location to another network path.

Why ROBOCOPY?

If you are copying files from one network path to another and you have Windows Vista or later operating systems then Robocopy is a better choice than any other option. Because you don't need to bother with drive mappings, since it handles UNC paths just fine.

Robocopy is not a third party software. It's native (built-in) to all versions of Windows Vista and later.

It is usually far more reliable than xcopy command, and provides a lot more options.

Robocopy is tolerant of interrupts during copying i.e. it can pick up where it left off if it gets stopped for some reason. It has the ability to recover from certain types of network hiccups automatically.

Read Link1 and Link2 for more details about ROBOCOPY and its various options.

Script using ROBOCOPY to copy EPM backups from PROD to DR network path:

@echo off

for /f "delims=" %%a in ('wmic OS Get localdatetime ^| find "."') do set "dt=%%a"

::Format the WMIC command output in DDMMYYYY format

set "YY=%dt:~0,4%"

set "MM=%dt:~4,2%"

set "DD=%dt:~6,2%"

set "today_date=%DD%%MM%%YY%"


::Define Source path

set sourcepath1=\\PROD_Network_Share\data\EPM_Backups\%today_date%

set sourcepath2=\\PROD_Network_Share\data\EPM_Backups\DataZip

set sourcepath3=\\PROD_Network_Share\data\EPM_Backups\Scripts


::Define Destination path

set destinationpath1=\\DR_Network_Share\data\EPM_Backups_Copy\%today_date%

set destinationpath2=\\DR_Network_Share\data\EPM_Backups_Copy\DataZipCopy

set destinationpath3=\\DR_Network_Share\data\EPM_Backups_Copy\ScriptsCopy\%today_date%


::Define Log path

set logfile=E:\Admin\Prod_To_DR_Copy.log


::Run RoboCopy commands

REM Copy all the files, folders and sub-folders from source to destination

robocopy %sourcepath1% %destinationpath1% /E /COPY:DAT /NP /LOG+:"%logfile%"


REM Copy today'sdate(DDMMYY).zip file from source to destination

robocopy %sourcepath2% %destinationpath2% %today_date%.zip /COPY:DAT /NP /LOG+:"%logfile%"


REM Copy all the files with extensions .sh, .mxl, .ksh, .scr from source to destination

robocopy %sourcepath3% %destinationpath3% *.sh *.mxl *.ksh *.scr /COPY:DAT /NP /LOG+:"%logfile%"


Below is what each ROBOCOPY command options used above means:
  • /E = Copy files including subfolders (even empty ones)
  • /COPY:copyflag[s] = what to COPY for files. Here we have selected DAT: D=Data, A=Attributes, T=Timestamps 
  • /NP = No Progress - don’t display % copied text in logfile; this keeps filesize down. 
  • /LOG+:logfile = Output status to LOG file (+= append to existing log).
ERROR 5 (0x00000005) Copying NTFS Security to Destination Directory. Access denied

When I was trying to figure out the right set of options for ROBOCOPY command, I encountered this error multiple times.

This error is usually caused by RoboCopy trying to copy the security settings of the files, and this causes some mismatch regarding the file permissions. 

There is a /B switch in RoboCopy for copying in backup mode but Backup mode cannot circumvent explicit NTFS deny ACL’s if the copier isn’t the objects’ owner.

Solution: Use /COPY:DAT only

Option /COPY:copyflag[s] can take multiple values based on what you want to copy for files. To Copy ALL file info (equivalent to /COPY:DATSOU), there is an option /COPYALL.

To overcome the above-mentioned error, you should use /COPY:DAT instead of the /COPYALL option, because /COPY:DAT  ignores the NTFS access control lists (the COPY:S parameter) of the files you're copying. 

This works because /COPYALL is equivalent to /COPY:DATSOU, D=Data, A=Attributes, T=Timestamps, S=Security=NTFS ACLs, O=Owner info, U=aUditing info. While we mainly need Data and Timestamps of the files for EPM backups.

That's all for this post.

I hope this article has helped you. 
Your suggestions/feedback are most welcome.

Keep learning and Have a great day!!!
Read More