OneStream

Considerations for SSL Implementation in Hyperion Environment

SSL is important for security and sometimes needs to be implemented in Hyperion environment depending on an organization’s security requirements.  This can be expensive and time-consuming or simple depending on the implementation.

Hyperion has three ways of implementing SSL which are:

  1. Full Implementation – implementing SSL in WebLogic, Oracle HTTP server, and IIS (if used).
  2. OHS Implementation – implementing SSL in Oracle HTTP Server only.
  3. Network Implementation – implementing SSL at the network level on a device such as a load balancer.

Full SSL implementation is the most complex setup and costlier since multiple certificates are needed.  Keystores need to be generated and managed, the OHS wallet needs to be managed, and a lot more configuration, testing, and troubleshooting are needed.  The benefit of a full implementation is that this is the most secure method.

OHS SSL implementation is simpler and requires minimal configuration.  The SSL certificate is managed in the OHS wallet and EPM configuration is relatively simple.  This implementation is less secure than a full implementation, but can still be secure if the Hyperion servers are isolated on their own subnet and access is only given to the OHS server.  Only one SSL certificate is required per OHS server so cost is minimal.

Network SSL implementation is the simplest method and good for security if the network is setup correctly.  Two SSL certificates are added to an external device such as an SSL Off loader or load balancer.  One certificate is needed for external communication between users and the device, and a certificate is needed for internal communication among Hyperion applications.  Hyperion is configured normally, and the load balancer forwards all requests from OHS.

Performance can and should be a factor when considering SSL implementations.  A full SSL implementation can cause Hyperion to run slower.  For example, a client wanted a full SSL implementation in their dev environment.  SSL certificates were obtained for every server and software piece that required them.  After configuration was done and tested, the environment was released to users who reported that Hyperion was running slower than normal.  It would take a minute or two just to get Workspace to load up. After this report, SSL was only implemented in OHS in another environment, and the performance was a lot better.  After seeing this difference, SSL was redone in dev for OHS only, and performance increased.