09 December 2015

how to fix jEdit 5.3.0 on OSX with Retina screen

jEdit is a great little editor: very flexible, much plugins, such macros, so java.
However, for some reason jEdit developers strenuously refuse to fix their OSX package to support Retina screens. Three years since these screens started getting popular, you still have to repeat the following procedure after each jEdit installation or update, in order to avoid getting blurry fonts everywhere:
  1. quit jEdit if open
  2. in Finder, right-click on jEdit in Applications, select Show Package Contents
  3. go to the Contents folder, then edit Info.plist by adding these two lines at the end of the file, just before </dict>:
    <key>NSHighResolutionCapable</key>
    <true/>
  4. force OSX to re-cache the plist by executing the following command in a terminal:
    defaults read /Applications/jEdit.app/Contents/Info.plist
  5. Restart jEdit. Icons will still look crappy (the "classic" theme slightly better than "tango"), but the rest will be ok.
On a more positive note, jEdit 5.3.0 (running on Java 1.8.0_66) seems to have fixed the crashes I've had for a year. Welcome back, "little editor that could".

09 November 2015

HFM 11.1.2.4.102 still insecure

In the last few months, I've described how HFM 11.1.2.4 is not working in secure configurations (i.e. does not support encryption/SSL):
It looks like the recently-released patch .102 still does not fix this glaring omission. Clearly security is very low in Oracle's list of priorities (but I'm sure their cloud setups are really really secure, uh-uh...).

Anyway, in the previous posts I recommended to work around this problem by having all HFM components on one single well-firewalled box. This setup was already sub-optimal (it's a single point of failure, and of course it might not meet some workload requirements), but as I went through other items it became clear that it's even more untenable than I previously thought.

This is because 11.1.2.4 components integrating with HFM (Financial Reporting, Calculation Manager, OBIEE and so on) will talk directly to application and cluster processes, bypassing the Weblogic-based web-application. Because of the previously-mentioned bug, communication will be completely unencrypted.

This means that theoretically, if any component uses the HFM API to integrate, it would have to run on the same single box as HFM.

You're going to need a bigger boat

The only exceptions to this rule are:
  • the EPM Architect Dimension Server service, which will go through the web-app for its own calls (all related to metadata, like deployment, lookups etc). However, EPM Architect's own DataSynchronization service (which can automatically copy data across EPM products) will again go directly to appserver processes without encryption.
  • webservices-based products like Financial Close Manager, Tax Governance etc (i.e. products built on Oracle SOA). These integrate with HFM via its web service interface exposed by Weblogic, which can be easily secured with SSL.

Bonus: a teaser

If you feel adventurous, you can figure out why HFM does not work with SSL.

  1. Create the EPM Registry properties mentioned in logs as reported in my first post.
  2. Run Process Monitor while you start the HFM JavaServer process.
  3. In the resulting capture, look for "File Not Found" containing "user_projects" in path. One of these files should look familiar...

07 November 2015

Link feeds about Weblogic, EPM, Hyperion etc

I've recently started using the excellent Pinboard bookmark manager (a wonderful throwback to the glory days of del.icio.us) to keep track of interesting posts. While I think about the best way to syndicate those links across all my public accounts, you can check out these feeds:

26 October 2015

Cluster strategies in Oracle Hyperion Financial Management

While poking around HFM for other reasons, I’ve found a bunch of interesting constants...
  • STR_HITREG_SERVER_STRATEGY = "ServerStrategy";
  • STR_HITREG_SERVER_STRATEGY_ROUNDROBIN = "0";
  • STR_HITREG_SERVER_STRATEGY_RANDOM = "1";
  • STR_HITREG_SERVER_STRATEGY_LOADBASED = "2”;
From other code and messages, it looks like ServerStrategy is supposed to be a property of the HFM database node in EPM Registry. It’s retrieved on startup, and will always default to 0 (”round robin”) because the property is not actually there unless you manually create it. It lseems to govern the load-distribution strategy employed by clients (i.e. the HFM web application), i.e. where to send each new login if the user has not logged on before and/or the documented StickyServer option is not enabled.

Don't raise your expectations anyway: it looks like the ”load based” strategy (2) has not actually been implemented yet, and if you choose it you’ll actually get the Round-Robin one; whereas ”Random” (1) is really random.

From what I can gather, Round-Robin will follow the list of servers specified in property serverList of the cluster node in EPM Registry, going through the list in the specified order. It’s also entirely in memory and never saved to disk or DB, from which we can deduce that:
  • each webapp or client will do its own thing, with no coordination between them;
  • each webapp or client will forget everything on restart;
  • each webapp will default to Round-Robin strategy and send logins to each appserver in the order specified by serverList
The main advice at this point is hence to keep your beefier appservers at the beginning of serverList, since they're more likely to receive traffic. Alternatively, add ServerStrategy and trust the random algorithm to distribute logins... randomly ;)

I suspect this stuff is a prelude of things to come, because it’s used in sections of code that also deal with SSL initialisation for communication with the appserver, i.e. something that is not quite baked yet but must have been added recently. It’s also pure Java, so can’t be older than 11.1.2.2. Does that mean we’ll finally get real load-balanced clustering in HFM (more than 10 years after people asked for it)…?

18 October 2015

Financial Management 11.1.2.4.101 still cannot be secured

I was hoping the recent wave of patches (.100 and .101) for HFM-- sorry, Oracle EPM Financial Management 11.1.2.4 would have started to address those well-known security problems that have been plaguing this (otherwise remarkable) release. Unfortunately, that is not the case.

To begin with, the server component is still looking for the wrong properties in registry ("isSSL" and "SSL_Port" rather than the actually existing "isSslEnabled" and "ssl_port"). This means that, whichever option you select in Configuration Utility, the component will default to ssl-disabled.

If we try to trick it, by manually adding the properties it's looking for, we get the following errors and the service shuts down:

[...] [FM] [ERROR] [] [oracle.FM.HSX.SERVER.oracle.epm.fm.hsxserver.HsxServer] [...] 
[SRC_CLASS: oracle.epm.fm.hsxserver.HsxServer] 
[SRC_METHOD: startThriftServices] An error occurred while starting HSX_SERVER_NAME service.[[
org.apache.thrift.transport.TTransportException: Either one of the KeyStore or TrustStore must be set for SSLTransportParameters
at org.apache.thrift.transport.TSSLTransportFactory.getServerSocket(TSSLTransportFactory.java:99)
at oracle.epm.fm.common.BaseSeviceManager.getSSLServerTransport(BaseSeviceManager.java:121)
at oracle.epm.fm.common.BaseSeviceManager.startService(BaseSeviceManager.java:68)
at oracle.epm.fm.hsxserver.HsxServer.startThriftServices(HsxServer.java:64)
at oracle.epm.fm.hsxserver.HsxServer.init(HsxServer.java:43)
at oracle.epm.fm.hsxserver.HsxServer.main(HsxServer.java:27)
]]
[...] An error occurred while starting HSX_SERVER_NAME service.[[
oracle.epm.fm.common.exception.HFMException: EPMHFM-66019: An error occurred while starting HSX_SERVER_NAME service.
at oracle.epm.fm.hsxserver.HsxServer.startThriftServices(HsxServer.java:70)
at oracle.epm.fm.hsxserver.HsxServer.init(HsxServer.java:43)
at oracle.epm.fm.hsxserver.HsxServer.main(HsxServer.java:27)
]]

As you can see, it complains about missing keystores. This was always a possibility, since we never got a chance to specify such a thing during configuration; however, most SSL-aware software usually ships with demo keys preconfigured for tests, so it was not unreasonable to expect HFM would do the same. No such luck!

Hopefully both problems will be comprehensively addressed sooner rather than later. As it is, secure 11.1.2.4 implementations still have to rely on both HFM web and app components running on a single box with a tight firewall, which is far from ideal.

Bonus: Peeking Under The Hood


These errors lift the veil on some of the development strategies Oracle employed to remove hard dependencies between HFM and Windows-specific DCOM.

It looks like they are using Apache Thrift, which can be roughly described as a serializer library to auto-generate network APIs for existing programs. They basically dropped DCOM network code and replaced it with a simpler network interface built on (if my speculation from the previous post is correct) some Weblogic subcomponent; this interface uses Thrift-generated serializations to pass data between appserver processes and the ADF-based web application.

In theory, such an approach could make it easier for third-party components to open connections directly to the HFM appserver, bypassing the need for specific client libraries (with their byzantine requirements) and just using Thrift to figure out necessary calls. However, I'm not really an expert in this field and I don't really know what this effort would entail; at this point, your best bet for custom integration is still likely to be the official HFM SDK.

13 October 2015

OSX 10.11 El Capitan / Sierra and Kinesis Freestyle 2 Bluetooth little glitch

UPDATE 2017-04-25: this solution came in handy when I had another glitch with Sierra: keys would lag or repeat very erratically. Tried resetting pram etc to no avail, so then I performed these steps out of desperation and it all went back to normal.

After upgrading to El Capitan, my Kinesis Freestyle 2 Bluetooth keyboard had a small issue, which I'm documenting here in case other people hit it.

Basically, after installing the OS update, F*/special keys were dead. Solution:

  1.  Open System Preferences -> Bluetooth
  2. Click on the X icon to the right of the keyboard, in order to un-pair it.
  3. turn the Kinesis off, then on again, and press the CONNECT button at the back of the keyboard
  4. The keyboard should pop on the screen, select it and pair it again (you will have to type a few numbers shown on screen)
All done! You should now have your special keys back.

04 October 2015

"Erase Free Space" on OSX to reclaim space

Being a heavy VMWare user, my laptop disk is always very close to being full. In a perennial search for space-saving tips, I've found a few sources mentioning the "Erase Free Space" command in Disk Utility could help reclaim a few GBs.

What is this command? Most operating systems "cheat" when deleting a file: they just mark sectors containing the file as free, without actually deleting any data. "Erase Free Space" is meant to actively write zeroes on all disk sectors reported as free, in order to actually erase content that might have been written to such sectors at some point in the past. It's a privacy / security feature, not supposed to reclaim space, but hey, it won't hurt to try! So I decided to give it a spin.

My experience was as follows:
  1. Verified that I had 34 GB of free space (out of 500).
  2. Launched Disk Utility selected the disk partition  i.e. the lowest "Macintosh HD" leaf item in tree menu.
  3. Selected the Erase tab, clicked on Erase Free Space in the lower-left area. Because I have an SSD disk, I chose the "fastest" level: excessive wear should be avoided on SSD disks as much as possible, and I was not performing this operation for security reasons anyway so I didn't really care.
  4. Observed disk free space dropping to zero in about a minute. Received message that disk is full (fair enough) and then another that Disk Utility failed to erase free space. Reported free space was now 34 GB again.
  5. At this point, retrying the operation or going to First Aid -> Verify Permissions returned all sorts of errors about the disk being locked. One error was this: "This disk needs to be repaired using the Recovery HD. Restart your computer, holding down the Command key and the R key until you see the Apple logo. When the OS X Utilities window appears, choose Disk Utility."
  6. I duly followed the procedure; however, when I launched Disk Utility in Recovery mode, almost everything was greyed out except "Verify Disk". This is because I use FileVault (i.e. total disk encryption) so the generic recovery utility, by design, has no access to the actual filesystem, which it sees as a single huge chunk of garbage data spanning the entire drive. It was a welcome surprise: it looks like this security feature actually works as it should.
  7. I clicked Verify Disk where I could (on the top disk item) and it didn't report any problem. Closed Disk Utility and went to the Apple menu -> Restart.
  8. After logon, all permissions-related commands in Disk Utility were usable again.
  9. Most importantly, I now had 39 GB of free space.
Conclusion: it was a slightly scary experience, but got me back a nifty 5GB (or 1% of drive), so I guess I'll do it again in a couple of months.  I suspect the saving might actually be due to OSX reacting to a sudden lack of free space by flushing all the semi-permanent caches it can find; either that, or it forces some sort of defragmenting/fscheck routine at the following startup that results in a more optimized filesystem. To be honest I'm not terribly curious, I'm just happy I have another trick up my sleeve!

14 March 2015

Slides for "The EPM Diet" presentation at Infratects TopGun 2015

I usually have a lot of fun at our Top Gun event, which is basically the only conference in Europe entirely dedicated to Hyperion/EPM infrastructure topics. Infratects being the leading player in the European space for this particular niche, it makes sense to get the community together and have honest conversations about best practices.

In 2014 I presented a talk about securing EPM. In 2015, in keeping with the tradition of telling people to do stuff they'd rather not, I talked about keeping servers fit by following an EPM diet, aka a number of little maintenance tasks to be periodically repeated.

I guess next year it will have to be about paying your taxes on time, or calling your mum every week.

06 February 2015

Hyperion Financial Management (HFM) 11.1.2.4.0 cannot be fully secured

(If you don't know what HFM is or does, look away now!)

If you work in the Oracle EPM space, you know that the long-awaited version 11.1.2.4.0 has finally been released, without much fanfare. For HFM, this release marks a major turning point: core services have been deeply modified in order to make them run on Unix/Linux, and ASP.Net was entirely removed from the stack, so that HFM can be officially supported on Exalytics system running Oracle Linux.

HFM is built on the Microsoft C++ stack, so it was an arduous task to make it portable without throwing away a decade of development efforts. To Oracle's credit, the mission was basically accomplished; however, *nix shops will likely not be too eager to deploy 11.1.2.4.0 in production environments just yet -- nor will traditional HFM customers. This release is rough, with quite a few functional bugs (taskflows cannot be displayed; the interface does not fully work in IE11; and so on), and unfortunately security was another casualty.

If you enable SSL for internal communication between EPM components, all services should encrypt their network traffic. In order to do that, they have to be manually configured, installing identity certificates required by the SSL protocol; this is a standard operation in Weblogic, and documented for other components in the Security Configuration Guide. Unfortunately, the HFM application server:

  1. is not a Weblogic instance (at least not officially -- will clarify this later)
  2. is not documented in the Guide yet.

Straight out of the gate we have a problem -- what certificate will HFM use? Nevermind, let's assume there is one hardcoded somewhere (shock, horror!). We simply enable full-SSL in Common Settings:

Then activate SSL support in the HFM Application Server configuration task:

And we can see in the EPM Registry that these settings have gone in:

We then configure the rest of the stack to use SSL (which is quite trivial, these days), increase logging here and there (good practice when enabling SSL, since it helps with troubleshooting), restart our services and... it all works! Great! Hold on, what is this in the HFM log?

[2015-02-06T01:11:05.087+00:00] [FM] [ERROR] [EPMHFM-65559] [oracle.FM.HSSUTIL.oracle.epm.fm.hssservice.RegistryWrapper] [tid: 10] [ecid: 0000KhSSAzEEgKYjLpqIOA1Kp1Ib000000,0] [SRC_CLASS: oracle.epm.fm.hssservice.RegistryWrapper] [SRC_METHOD: getRegistryProperty] Invalid property isSSL for HIT Registry component app24. [2015-02-06T01:11:05.132+00:00] [FM] [WARNING] [] [oracle.FM.HSX.SERVER.oracle.epm.fm.hsxserver.service.HsxServerServiceManager] [tid: 10] [ecid: 0000KhSSAzEEgKYjLpqIOA1Kp1Ib000000,0] [SRC_CLASS: oracle.epm.fm.hsxserver.service.HsxServerServiceManager] [SRC_METHOD: init] An error occurred retrieving property isSSL from EPM registry, using default value :false. [2015-02-06T01:11:05.141+00:00] [FM] [ERROR] [EPMHFM-65559] [oracle.FM.HSSUTIL.oracle.epm.fm.hssservice.RegistryWrapper] [tid: 10] [ecid: 0000KhSSAzEEgKYjLpqIOA1Kp1Ib000000,0] [SRC_CLASS: oracle.epm.fm.hssservice.RegistryWrapper] [SRC_METHOD: getRegistryProperty] Invalid property SSL_Port for HIT Registry component app24. [2015-02-06T01:11:05.141+00:00] [FM] [WARNING] [] [oracle.FM.HSX.SERVER.oracle.epm.fm.hsxserver.service.HsxServerServiceManager] [tid: 10] [ecid: 0000KhSSAzEEgKYjLpqIOA1Kp1Ib000000,0] [SRC_CLASS: oracle.epm.fm.hsxserver.service.HsxServerServiceManager] [SRC_METHOD: init] An error occurred retrieving property SSL_Port from EPM registry, using default value :9092.[...] [SRC_METHOD: init] isSSLEnabled :false

Ouch, it looks like HFM is just ignoring our settings. Old-hat EPM infrastructure hackers at this point are probably thinking "Hold on, I know those 'not found' properties; they're usually seen on web-app nodes!" and that's exactly it. The HFM server fancies itself a web-app, and looks for web-app properties in its registry node; but that node is actually a custom non-standard type with non-standard properties "isSslEnabled" and "ssl_port" (lowercase).

To verify that HFM was not encrypting anything, I dusted off my miserable Wireshark skills and logged some network traffic.

As you can see in the screenshot, data originating from the HFM application server and using ports in the range used by HFM, are sending data down the wire completely unencrypted. Malicious actors could hide somewhere in your company network and silently siphon away all your precious financial data with minimal effort. If you care about security, you'll likely want to give this HFM release a wide berth, at least until this bug is fixed.

Bonus: The Strange Case of The Masqueraded Weblogic

As I mentioned above, the HFM application server is not officially a Weblogic instance. So why is it trying to look up registry properties typical of Weblogic instances? Maybe because it is, in fact, a bastardised Weblogic. If we look at the startup parameters configured in Windows Registry, we find the following:

What's that? A Weblogic parameter? Indeed it is. And why is it there? By default, Weblogic will use the cryptographic extensions found in the JDK (or JRockit) in which is running. By setting "nojce" to True, you can tell Weblogic to actually use its internal implementation of such extensions (which were probably developed by BEA back in the days, when crypto support in the JDK was a bit shaky). If you are bastardising weblogic, I guess you can also replace some of these classes with your custom versions, which is probably what Oracle was trying to do here.

22 January 2015

How To Invert Apple Magic Trackpad Orientation

UPDATE 2016-12-18: as suggested by a very helpful comment, Sierra users can get this back with BetterTouchTool. I can confirm that it works: in BTT Preferences, click on the Trackpad icon in upper-right corner, then in General (Tracking Speed etc.) tab, at the bottom, select "Mirror complete Magic Trackpad orientation for "upside-down" usage. BTT is an awesome utility with plenty of other features and constantly adding new ones (I've been using it for a very long time and wasn't even aware they had introduced this option!), and it's incredibly cheap, so you should definitely check it out.

UPDATE 2016-10-01: It's all over, folks - OSX 10.12 "Sierra" officially broke this trick. The only suggestion I have left is to "flatten" the mouse with a book underneath, long enough to give you wrist support.

UPDATE 2015-10-30: Various commenters noted that the following hack doesn't work with Magic Trackpad 2. I cannot verify this; I can only say that the original version I have (model no. A1339) still works the same way with OSX 10.11 "El Capitan".

Over the years, I've grown so fond of OSX trackpad gestures that I couldn't bear the thought of going back to a mouse when I bought my Freestyle2 keyboard. The solution was to buy a Magic Trackpad, which works exactly as expected. However, Jony Ive's people clearly ignored ergonomics when designing this product: in the default configuration, it's just a wrist killer.
I wonder if somebody knew about this, because OSX has a very easy way to turn the trackpad around, in what becomes a much better stance; a negative slope is much kinder on your wrists and hands. So, without further ado, here's how you revert your trackpad:
  1. Disconnect your trackpad, by pressing the power button until the green light goes off.
  2. Type the following command in your Terminal, all on one line: sudo defaults write com.apple.MultitouchSupport ForceAutoOrientation YES
  3. invert your trackpad, turn it on, then place five fingers on it, stretched enough that the device can recognise a hand shape. Congratulations, your trackpad is now inverted.
  4. If you want to go back to the previous orientation, just switch the trackpad off, turn it around, and again place five fingers on it on reconnect.
I suggest adding a padded rest for your wrist, or something to that effect. I'm currently using a couple of CD cases but I'll probably get something softer at some point. Now my wrist feels *much* better, even more relaxed than with a mouse.
Caveat: the trackpad has a significant inactive area where the battery is stored. This means that you have to keep your hand a bit further from the edge than before. It might take a few minutes to adapt, especially if you drag&drop with your thumb as I do. One alternative is to use three-fingers dragging instead, which also works very well.

08 January 2015

Kinesis Freestyle2 Multichannel Bluetooth for Mac - Review

As New Year Resolutions go, improving your ergonomics is an easy one to achieve for most programmers: just buy decent kit (proper chair, table, screen, keyboard, mouse), set it up once, et voilĂ . In this spirit, I've just bought the Kinesis Freestyle2 Multichannel Bluetooth, and this is a short review after just a few hours of usage.

Freestyle2 is the revised model of the (fairly successful) Freestyle keyboard. It's a split Bluetooth keyboard that can actually detach its two halves, so that it can suit your personal ergonomic stance rather than forcing you to adapt to an arbitrary keyboard position. Out of the box, it comes with a pivot tether keeping the halves together, but I personally removed it straight away and it felt immensely liberating.

Obviously, such a keyboard will pay great attention to ergonomics all over. It's flat, but keys are slightly counter-sloped in order to achieve a negative-slope feeling, which is nice. Still, the Freestyle2 is fairly thick, so you'll want to buy the optional padded armrests as well (I originally forgot and can clearly feel the strain - time for a top-up order).

I'm quite happy with overall build quality, including good key switches you don't have to bang onto and never get stuck. The Mac version comes with Command and Option keys in all the right places, and quite a few goodies I've missed since I moved to laptops (Delete, Home, End, PgUp, PgDwn). I'll likely need a few weeks to get fully used to a regular keyboard again, after two years exclusively spent on a MacBook, but that would have been inevitable with any keyboard.

I'm not entirely sold on the huge Esc key being so far away from the main rows, but if it's the price to pay for a big Delete just above regular Backspace, so be it; I'm not a big Vi user anyway! ;-) Note: the "Multichannel for Mac" version of the Freestyle2 is only available in US layout at the moment; this said, if you switch to UK layout in OSX, the keyboard will happily give you UK characters where they're supposed to be (except for slash, which is physically in a different place), so if you're not a "hunt & peck" person, you should have little trouble adapting. Considering the split layout, I wouldn't recommend this keyboard to any H&P friend anyway.

The multichannel concept is intriguing, and works smoothly. Basically, you can pair the keyboard to 3 different computers/phones/tablets, and switch between them as necessary. Getting a text message on your Android phone while you're working on your laptop? Just hit Fn-2 or Fn-3 to respond. Having several laptops (like me)? Just switch between them as necessary without having to buy a cumbersome KVM setup. I tested it switching between MBP and iPhone 5, and it worked great. This is seriously cool, now I wish I had a mouse/trackpad that could do it as well.

Talking of trackpads, there is a really nice coincidence: if you get an Apple Magic Trackpad, like I did, and put a simple cd case underneath to even it out (seriously, Apple: who thought sloping it was a good idea?), you'll find that trackpad surface sits perfectly even to the Freestyle2. If this effect was achieved on purpose, well done Kinesis! It makes it really easy to transition from keyboard to trackpad.

The only real "wtf moment" I had was that the key assigned to Mission Control seems to actually return F12. This is probably the result of some hackery I did in the past on my laptop, but I haven't been able to track it down yet. It's not a big deal anyway: I bought a trackpad exactly so that I could keep using gestures for this sort of activity.

Last and probably least, the Freestyle2 features two additional key columns on the left-hand side, predefined for some supposedly-common actions: "back" and "forward" in browsers, "go to" beginning or end of the line, Cut/Copy/Paste, Undo, and Select All. In truth, I can see how Kinesis really needed just one column (for Fn and 1/2/3 switches to change channel); the second was probably added to get better symmetry with the right half of the keyboard. These keys would be more useful if they could be remapped, which can probably be achieved with some hackery but is not officially supported by Kinesis. "Forward" in particular seem particularly wasted -- there is a reason most browsers only emphasise Back these days.

Setup was easy, but make sure you read the instructions properly; I initially failed to notice that you have to explicitly select the channel before pairing, and overwrote my initial pairing a couple of times. It would be nice if the Freestyle2 were smart enough to default to a "free" channel when pairing, but it's a minor feature that you'll likely use only the first time you connect the keyboard anyway. Btw, make sure you download those instructions, because they are not actually included in the box.

If you'd like to buy a Freestyle2 and you are in the US, you can just order it from the Kinesis website (remember armrests!). I got mine in the UK thanks to official distributor Osmond Ergonomics, which very kindly got in touch as soon as I tweeted (between Christmas and New Year's Eve) and notified me when they received some stock -- they should have Multichannel models available on their webstore in a week or two; in the meantime just get in touch directly and they'll be happy to oblige (BTW, if you don't care about Multichannel features, you can order a regular Freestyle2 on the website right now).