09 November 2015

HFM still insecure

In the last few months, I've described how HFM is not working in secure configurations (i.e. does not support encryption/SSL):
It looks like the recently-released patch .102 still does not fix this glaring omission. Clearly security is very low in Oracle's list of priorities (but I'm sure their cloud setups are really really secure, uh-uh...).

Anyway, in the previous posts I recommended to work around this problem by having all HFM components on one single well-firewalled box. This setup was already sub-optimal (it's a single point of failure, and of course it might not meet some workload requirements), but as I went through other items it became clear that it's even more untenable than I previously thought.

This is because components integrating with HFM (Financial Reporting, Calculation Manager, OBIEE and so on) will talk directly to application and cluster processes, bypassing the Weblogic-based web-application. Because of the previously-mentioned bug, communication will be completely unencrypted.

This means that theoretically, if any component uses the HFM API to integrate, it would have to run on the same single box as HFM.

You're going to need a bigger boat

The only exceptions to this rule are:
  • the EPM Architect Dimension Server service, which will go through the web-app for its own calls (all related to metadata, like deployment, lookups etc). However, EPM Architect's own DataSynchronization service (which can automatically copy data across EPM products) will again go directly to appserver processes without encryption.
  • webservices-based products like Financial Close Manager, Tax Governance etc (i.e. products built on Oracle SOA). These integrate with HFM via its web service interface exposed by Weblogic, which can be easily secured with SSL.

Bonus: a teaser

If you feel adventurous, you can figure out why HFM does not work with SSL.

  1. Create the EPM Registry properties mentioned in logs as reported in my first post.
  2. Run Process Monitor while you start the HFM JavaServer process.
  3. In the resulting capture, look for "File Not Found" containing "user_projects" in path. One of these files should look familiar...

No comments: