Monday, January 13, 2020

SSL Enabled MSAD for EPM Systems

So, after a long hiatus , I am finally ready to update this blog on something that is bound to be catastrophic to your EPM environment. Microsoft is enforcing MSAD connections on SSL and its details can be found here.

My 11.1.2.4 environment MSAD connection was not SSL enabled. Per Oracle, implementing the ssl connectivity is a simple straightforward approach documented in KM Doc ID 1599610.1.

Per the document, You need to import your corporate AD SSL Certs into 3 locations inside the EPM system on all servers.




keytool -import -noprompt -trustcacerts -alias < Alias Name > -file < Certificate for Corporate
Directory > -keystore < Keystore Name and Location > -storepass < Keystore Passphrase >


However, When I did that, I ran into the error below.
SSL Error
Bind Error
In order to overcome this, after multiple iterations, I have finally come up with the proper steps to get rid of this problem. If you installed the base version of EPM along with the base WebLogic and Java components, Those will need to be updated.
In my case, I had upgraded Weblogic to 10.3.6 per the instructions mentioned in Doc ID 2503568.1
bsu.cmd -install -patch_download_dir=D:\Oracle\Middleware\utils\bsu\cache_dir -patchlist=7HKN - prod_dir=D:\Oracle\Middleware\wlserver_10.3 -log=7HKN.log
The second and by far the most complicated step was to upgrade JDK and JRockIt to Java7. The steps are mentioned in the Doc ID 2351499.1. I chose to move ahead with the less complicated steps in Choice 1. It was not worth going through the struggle from Choice 2. 
Special Note- Don't forget Essbase, EAS and FR Studio Clients. The steps are a little different than that for Web Apps like Foundation, RAF , Web Analysis,Calc Man etc.
Lastly, Don't forget to update the Corporate SSL Certs on the New Java 7 library. Then,proceed to apply the SSL enabled option on your Shared Services console. It should now happily take port 636 and you will keep your security team happy. 
Happy EPMing!