External Authentication

HY P E R I ON
E X T E R N A L
AU T HE N T I C A T I ON
RELEAS E 2 . 6
C ONF I G U R A T I ON GU I DE
P/ N: D0 0 0 3 0 0 0 0 0
Copyright 2004 Hyperion Solutions Corporation. All rights reserved.
U.S. Patent Numbers: 5,359,724 and 6,317,750
Hyperion, Essbase, and the H logo are registered trademarks, and Hyperion Solutions is a trademark of Hyperion
Solutions Corporation.
All other brand and product names are trademarks or registered trademarks of their respective holders.
No portion of this manual may be reproduced or transmitted in any form or by any means, electronic or mechanical,
including photocopying, recording, or information storage and retrieval systems, for any purpose other than the
purchasers personal use, without the express written permission of Hyperion Solutions Corporation.
Notice: The information contained in this document is subject to change without notice. Hyperion Solutions Corporation
shall not be liable for errors contained herein or consequential damages in connection with the furnishing, performance,
or use of this material.
Hyperion Solutions Corporation
1344 Crossman Avenue
Sunnyvale, CA 94089
Printed in the U.S.A.
Contents iii
Contents
CHAPTER 1 Introduction to External Authentication and Single Sign-On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
About External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
About Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Support for SiteMinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Platform Support and Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
CHAPTER 2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
CHAPTER 3 Setting Up the Environment for NT LAN Manager Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Setting Up User Rights for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Setting Up User Rights on Windows NT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Setting Up User Rights on Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Setting Up User Rights on Windows 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
UNIX Application Support for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Multiple-Domain Support for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
CHAPTER 4 Configuring Hyperion Hub for External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
How Configuration Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Adding or Editing an LDAP or Active Directory Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Naming the Provider Configuration (Required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Specifying Host Name, Port Number, and Base DN (Required) . . . . . . . . . . . . . . . . . . . . 21
Setting a Read-Only User Account or Selecting an Anonymous Bind (Required) . . . . . . 21
Specifying the Location of Users (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Specifying the Location of Groups (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Specifying the Provider Trust Setting (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Setting Maximum Result-Set Size (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Setting Authorization Type (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Completing the Configuration (Required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Adding or Editing an NT LAN Manager Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Naming the Provider Configuration (Required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Specifying the Domain (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Specifying a Remote Authentication Module Location (Optional) . . . . . . . . . . . . . . . . . . 26
Specifying the Provider Trust Setting (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
iv Contents
Setting Maximum Result-Set Size (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Completing the Configuration (Required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Setting the Search Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Setting the Token Time-out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Configuring the Preferred Logging Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Additional Configuration Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
User Login Attribute (Optional, LDAP/MSAD Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
User First-name Attribute (Optional, LDAP/MSAD Only) . . . . . . . . . . . . . . . . . . . . . . . . 30
User Surname Attribute (Optional, LDAP/MSAD Only) . . . . . . . . . . . . . . . . . . . . . . . . . . 31
User E-mail Attribute (Optional, LDAP/MSAD Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Custom User Object-Class Entries
(Optional, LDAP/MSAD Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Group Name Attribute (Optional, LDAP/MSAD Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Custom Group Object-Class Entries
(Optional, LDAP/MSAD Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Referral Support (Optional, MSAD Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Verifying a Correct Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Notes About User and Group Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
CHAPTER 5 Configuring Hyperion Products for External Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Hyperion Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Environment Setup Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Referencing the Hub Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Configuring for SiteMinder Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Hyperion Application Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Configuring the Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Referencing the Hub configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Hyperion Business Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Enabling Single Sign-on Between Hyperion Business Modeling and Other Hyperion
Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Hyperion Business Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Hyperion Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Hyperion Essbase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Essbase Analytic Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Essbase Administration Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Essbase Deployment Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Essbase Spreadsheet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Essbase Integration Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Hyperion Financial Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Adding Externally Authenticated Users in Hyperion Financial Management . . . . . . . . . 53
Hyperion Metrics Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Contents v
Hyperion Performance Scorecard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Hyperion Performance Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Hyperion Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Setting Up BEA WebLogic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Configuring NTLM Authentication When the Web Application Server is on UNIX . . . . 56
Enabling Single Sign-On Between Planning and Other Hyperion Products . . . . . . . . . . . 56
Hyperion Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Enabling Single Sign-On to Hyperion Essbase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Searching for Users in Hyperion Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Hyperion SQR and Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Hyperion Strategic Finance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Searching for Users in Hyperion Strategic Finance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Hyperion Translation Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
CHAPTER 6 Setting Up the Environment for Netegrity Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Required Changes to Hub Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Required Changes to Netegrity Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Deployment Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
CHAPTER 7 Using Secure Sockets Layer (SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Required Changes to Hub Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Other Required Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
CHAPTER 8 Hyperion Remote Authentication Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
About the Hyperion Remote Authentication Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Installation Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Configuration and Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
CHAPTER 9 Sample Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Single LDAP Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Single Microsoft Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
UNIX Application and Single NTLM Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Windows Application and Single NTLM Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
UNIX Application against LDAP, Microsoft Active Directory, and NTLM . . . . . . . . . . . . . . . 79
Windows Application against LDAP, Microsoft Active Directory, and NTLM . . . . . . . . . . . . . 80
Multiple Microsoft Active Directory Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
vi Contents
Multiple LDAP Directory Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Multiple NTLM Domains with Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Multiple NTLM Domains Connected with Hyperion Remote Authentication Module . . . . 84
Single Sign-on with SiteMinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Deployment References from LDAP Product Vendors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
APPENDIX 10 Sample Configuration XML Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Basic XML Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Extended XML Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Introduction to External Authentication and Single Sign-On 7
C h a p t e r
1
Introduction to External
Authentication and Single
Sign-On
This guide helps you set up Hyperion applications to use external authentication in addition
to, or in place of, the security systems employed by the applications. Using external
authentication to manage user accounts on Hyperion applications provides two main benefits:
The existing corporate structure of user accounts is employed by Hyperion applications,
thus reducing administrative overhead
The benefit of single sign-on to Hyperion applications is added, thus eliminating the need
for users to log on multiple times with multiple user names and passwords
In This Chapter About External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
About Single Sign-On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Platform Support and Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
8 Introduction to External Authentication and Single Sign-On
About External Authentication
External authentication means that the user login information needed by Hyperion
applications is stored outside the applications. The information is maintained in a central
authentication directory, such as Lightweight Directory Access Protocol (LDAP) Directory,
Microsoft Active Directory, or Windows NT LAN Manager.
An authentication directory is a centralized store of user information such as login names and
passwords, and perhaps other corporate information. The repository functions like a telephone
directory. The authentication directory probably contains much more than user names and
passwords; for example, it may include e-mail addresses, employee IDs, job titles, access rights,
and telephone numbers. It may also contain objects other than users; for example, it may
contain information about corporate locations or other entities.
In order to use external authentication for Hyperion applications, your organization must have
an authentication directory that contains corporate user information. Additionally, you must
modify the XML-based security configuration file associated with your product to specify
correct information pertaining to your corporate authentication directory.
The following types of authentication repositories are supported:
Windows NT LAN Manager (NTLM) on NT 4.0 or higher, Windows 2000, and Windows
2003
Lightweight Directory Access Protocol (LDAP) version 3 or higher
Microsoft Active Directory server (MSAD), Windows 2000 sp3 or higher
About Single Sign-On
Single sign-on is the ability of a user to access multiple Hyperion products after logging on
only once. When an externally authenticated user logs on to a Hyperion product, an encrypted
token is generated which contains the user credentials in the form of:
The user name,
In some cases, the user password. The presence of a password in the token depends on the
configuration. If you are using a trusted authentication directory, no password is present or
required in the token.
As shown in Figure 1, the token is passed among other Hyperion products and is used as
needed to automatically re-authenticate the user when the user moves to another application.
Single sign-on is effective in cases where one Hyperion product launches another. Note that if a
user launches a second product independently, for example, from the Start Menu, a token
cannot be passed between the products, and the user must re-authenticate.
About Single Sign-On 9
Fi gure 1 Authentication to External Provider Enables Sign-On to Reach Multiple Applications
Tokens are encrypted; however, additional security such as Secure Sockets Layer (SSL) protocol
is recommended for prevention of replay attacks or man-in-the middle attacks.
To enable single sign-on between multiple Hyperion applications that launch one another, you
must use a single XML configuration file that is shared by the multiple product installations.
For more information, see Chapter 4, Configuring Hyperion Hub for External
Authentication.
Support for SiteMinder
In addition to native Hyperion single sign-on, Hyperion products can integrate with Web
access management solutions such as the Netegrity SiteMinder product. SiteMinder is a Web
access management solutions provider. Web access management solutions are employed by
organizations to manage and enforce authentication, authorization, and single sign-on for web
resources such as JSP files, ASP files, or HTML files. Web-based Hyperion products support
single sign-on from a Web access management solutions provider, also known as a security
agent. Integration with a security agent requires configuration of the <securityAgent>
element in the XML configuration file.
Note: In this documentation, the terms security agent and Web security agent are interchangeable, and refer to any Web
access management solutions provider such as Netegrity SiteMinder.
The following security agents are tested and supported for single sign-on with Hyperion
applications:
SiteMinder Policy Server 5.5 Service Pack 2
SiteMinder Web Agent 5.5 Service Pack 2
If your corporation has implemented SiteMinder to protect company Web resources, you can
configure the security platform to require only that users authenticate through SiteMinder,
after which they will not be required to present credentials again when logging in to Hyperion
applications.
For information about configuring the <securityAgent> element in the XML configuration
file, see Chapter 6, Setting Up the Environment for Netegrity Single Sign-On.
For a sample deployment scenario illustrating single sign-on with SiteMinder, see Single Sign-
on with SiteMinder on page 85.
Platform Support and Requirements
The following steps are required before implementing external authentication and single sign-
on with Hyperion applications.
1. Decide on which Hyperion products and which operating systems the external
authentication functionality will be needed.
Table 1 lists the operating systems supported by the Hyperion external authentication
mechanism.
2. Decide which of the supported authentication providers, on which platforms, to make
available in the security realm. See Table 2.
Table 1 Supported Operating Systems
Operating System
Windows NT 4.0, sp 6a or higher
Windows 2000 Server and Advanced Server, sp 4 or
higher
Windows 2003
Solaris 8 and 9
HP-UX 11i
AIX 5.1L and 5.2
Table 2 Supported Authentication Providers and Platforms
Lightweight
Directory Access
Protocol (LDAP)
version 3 compatible
directories
NT LAN Manager
(NTLM)
Microsoft Active
Directory 2000
Microsoft Active
Directory 2003
Windows NT 4.0,
sp 6a or higher
X X X X
Windows 2000
Server and
Advanced Server,
sp 4 or higher
X X X X
Platform Support and Requirements 11
Note: The tested and supported LDAP servers are: Sun ONE (iPlanet) 5.2, Novell eDirectory 8.7, IBM Directory Server
5.1, and Domino LDAP 5.x and 6.0.
Note: Web-based Hyperion applications can optionally be used with Netegrity Siteminder version 5.5 or higher in
conjunction with the supported directories listed above. For details on installation and configuration of Netegrity
Siteminder, see the Siteminder installation documentation at http://www.netegrity.com.
3. Install and configure Hyperion Hub 7.2, available on the Hyperion Download Center. For
more information, see the Hyperion Hub Installation Guide.
Once you have configured Hyperion Hub for external authentication, you can configure
other Hyperion products that need to use external authentication by referencing the Hub
configuration.
4. If your corporation has implemented SiteMinder to protect company Web resources, you
can configure the security platform to enable single sign-on between Hyperion
applications and SiteMinder. For more information, see Chapter 6, Setting Up the
Environment for Netegrity Single Sign-On and Support for SiteMinder on page 9.
The Hyperion security platform supports SiteMinder Policy Server 5.5 Service Pack 2 and
SiteMinder Web Agent 5.5 Service Pack 2 also known as SiteMinder Web Agent 5.x QMR 5.
5. If you are implementing security using an NTLM provider and are using a UNIX system as
the machine where the Hyperion application software is installed, ensure that the
Hyperion Remote Authentication Module is installed on a Windows NT, Windows 2000,
or Windows 2003 server. Install the Hyperion Remote Authentication Module from the
Hyperion Download Center. After the Remote Authentication Module is installed, you
must also provide its URL as a value to the <remoteServer> element in the security
platform XML configuration file.
6. If you want to enable authentication of users from multiple Windows domains, but you do
not want to set up trust relationships between those domains, install the Hyperion Remote
Authentication Module on a separate Windows server. This enables users of Hyperion
applications running on one domain to log into Hyperion applications on other domains.
All the domains involved must be running Hyperion applications that are configured to
use the same Hyperion Remote Authentication Module instance.
Windows 2003 X X X X
UNIX X X - requires installation
of Hyperion Remote
Authentication Module
X X
Table 2 Supported Authentication Providers and Platforms (Continued)
Lightweight
Directory Access
Protocol (LDAP)
version 3 compatible
directories
NT LAN Manager
(NTLM)
Microsoft Active
Directory 2000
Microsoft Active
Directory 2003
Getting Started 13
C h a p t e r
2
Getting Started
We recommend using Hyperion Hub Configuration Console to manage external
authentication outside of the context of any particular product or application. Once you have
configured Hyperion Hub for external authentication, you can configure other Hyperion
products that need to use external authentication by referencing the Hub configuration.
To implement Hyperion Hub functionality for your Hyperion products or applications, each
product requires access to a Hub server running Hub server software, and to a database
dedicated to Hub. See the Hyperion Hub Installation Guide for database options.
Use the following process to set up external authentication for any Hyperion product:
1. Download and install the Hyperion products you will be using, if this is not already done.
2. Download and install Hyperion Hub from the Hyperion Download Center.
Complete the Database Configuration steps for Hub before proceeding with configuration
of external authentication. See the Hyperion Hub Installation Guide, available on the
Hyperion Download Center.
3. Configure external authentication for Hub. See Chapter 4, Configuring Hyperion Hub for
External Authentication.
4. Configure the Hyperion products you are using to reference the Hyperion Hub external
authentication configuration. See Chapter 5, Configuring Hyperion Products for External
Authentication.
5. If you will use NT LAN Manager authentication, there are additional steps. See Chapter 3,
Setting Up the Environment for NT LAN Manager Support.
6. If you will use Web Access Management Solutions (Netegrity), there are additional steps.
See Chapter 6, Setting Up the Environment for Netegrity Single Sign-On.
14 Getting Started
Setting Up the Environment for NT LAN Manager Support 15
C h a p t e r
3
Setting Up the Environment for
NT LAN Manager Support
The directions in this chapter apply to administrators who wish to enable one or more
Hyperion applications to use external authentication of users in a Windows NT LAN Manager
(NTLM) domain.
In This Chapter Setting Up User Rights for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
UNIX Application Support for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Multiple-Domain Support for NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
16 Setting Up the Environment for NT LAN Manager Support
Setting Up User Rights for NT LAN Manager
To enable use of the NTLM provider, certain access rights are required of the Windows NT user
account on which the application or application server runs.
Note: Make sure you set up these rights on the machine on which the application runs, rather than on the NT domain
machine.
Additionally, certain access rights are required for end users. The following access rights are
required for external authentication to work with an NTLM provider:
Access this computer from the network (usually granted to Administrators). End users of
Hyperion applications using external authentication require this right.
Act as part of the operating system (normally not granted to anyone). The account used
to run Hyperion application processes requires this right in order for external
authentication to work.
The logged on user should be a domain user. The user running the application or
application server of the Hyperion product should be a domain user rather than a local
Windows user.
See one of the following sections, depending on which operating system you use.
Setting Up User Rights on Windows NT on page 16
Setting Up User Rights on Windows 2000 on page 17
Setting Up User Rights on Windows 2003 on page 17
Setting Up User Rights on Windows NT
To set up user rights on Windows NT:
1 From the Start Menu, select Programs > Administrative Tools (Common) > User Manager.
2 In the User Manager dialog box, select the appropriate user name.
3 Select Policies > User Rights. The User Rights Policy dialog box is displayed.
4 From the Right drop-down list box, select Access this computer from network.
The users or groups who have the selected policy setting are shown in the Grant To list box. If
the appropriate user is shown in this list box, click Cancel and skip to Step 6.
5 To grant the selected right, click Add, and complete the Add Users and Groups dialog box.
6 In the User Rights Policy dialog box, check Show Advanced User Rights.
7 From the Right drop-down list box, select Act as part of the operating system.
The users or groups who have the selected policy setting are shown in the Grant To list box. If
the appropriate user is shown in the Grant To list box, click Cancel and skip the rest of this
procedure.
Setting Up User Rights for NT LAN Manager 17
8 To grant the selected right, click Add, and complete the Add Users and Groups dialog box.
Setting Up User Rights on Windows 2000
To set up user rights on Windows 2000:
1 From the Start Menu, select Settings > Control Panel > Administrative Tools > Local Security Policy.
This opens the Local Security Settings dialog box.
2 In the left-pane tree of the Local Security Settings dialog box, expand the folder named Local Policies.
3 Click the folder named User Rights Assignment, and, in the right area of the dialog box, double-click the
policy named Access this computer from the network.
The Local Security Policy Setting dialog box for the Access this computer from the network
policy is displayed.
4 If the relevant user account has the policy checked, click Cancel and skip to Step 9.
5 Click Add.
6 Select the name of the appropriate user or group needing the right.
7 Click Add.
8 Click OK.
9 In the right pane of the dialog box, double-click the policy named Act as part of the operating system.
The Local Security Policy Setting dialog box for the Act as part of the operating system
policy is displayed.
10 If the relevant user account has the policy checked, click Cancel and skip the rest of this procedure.
11 Click Add.
12 Select the name of the appropriate user or group needing the right.
13 Click Add.
14 Click OK.
Setting Up User Rights on Windows 2003
To set up user rights in Windows 2003:
1 From the Start Menu, select Control Panel > Administrative Tools > Local Security Policy.
This opens the Local Security Settings dialog box.
2 In the left-pane tree of the Local Security Settings dialog box, expand the folder named Local Policies.
3 Click the folder named User Rights Assignment, and, in the right area of the dialog box, double-click the
policy named Access this computer from the network.
The Access this computer from the network Properties dialog box is displayed.
18 Setting Up the Environment for NT LAN Manager Support
4 If the relevant user account is listed as having this right, click Cancel and skip to Step 9.
5 Click Add User or Group.
6 Enter the name of the appropriate user or group needing the right.
7 Click OK.
8 In the Access this computer from the network Properties dialog box, click OK.
9 In the right pane of the Local Security Settings dialog box, double-click the policy named Act as part of
the operating system.
The Act as part of the operating system Properties dialog box is displayed.
10 If the relevant user account is listed as having this right, click Cancel and skip the rest of this procedure.
11 Click Add User or Group.
12 Enter the name of the appropriate user or group needing the right.
13 Click OK.
14 In the Act as part of the operating system Properties dialog box, click OK.
15 Close the Local Security Settings dialog box.
UNIX Application Support for NT LAN Manager
If you are implementing external authentication with an NTLM provider and wish to support
the use of a UNIX machine for the client application, or if you must also ensure that the
Hyperion Remote Authentication Module is installed on a Windows NT/2000 server.
See Chapter 8, Hyperion Remote Authentication Module.
Multiple-Domain Support for NT LAN Manager
In addition to UNIX application support, the Hyperion Remote Authentication Module also
enables a Hyperion application to authenticate users belonging to other domains that are not
trusted by the domain on which the Hyperion application is installed. This removes the
necessity to establish trust relationships between the domains.
Therefore, installing the Hyperion Remote Authentication Module can be useful to both of the
following groups:
UNIX application users who need to log in using a Windows domain
Windows users who need to log in using more than one Windows domain, although there
are no trust relationships set up
See Chapter 8, Hyperion Remote Authentication Module.
Configuring Hyperion Hub for External Authentication 19
C h a p t e r 7
4
Configuring Hyperion Hub for
External Authentication
This chapter explains to administrators how to configure Hyperion Hub to support
authentication of users that are stored in LDAP, Active Directory, or Windows NT LAN
Manager (NTLM) external-authentication providers. Configuration also enables single sign-
on, the ability to access multiple Hyperion applications after logging on only once using
external credentials.
In This Chapter How Configuration Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Adding or Editing an LDAP or Active Directory Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Adding or Editing an NT LAN Manager Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Setting the Search Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Setting the Token Time-out. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Additional Configuration Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Verifying a Correct Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Notes About User and Group Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
20 Configuring Hyperion Hub for External Authentication
How Configuration Works
To configure Hyperion products for external authentication and single sign-on, first use the
Hyperion Hub Configuration Console to configure Hub for external authentication. Once you
have configured Hyperion Hub and verified that external authentication is successful,
configure any other products by referencing the Hub configuration.
When you use the Hyperion Hub Configuration Console to set up external authentication, the
console writes your configuration information to the CSS.xml file packaged with Hyperion
Hub. For a sample XML configuration file, see Appendix 10, Sample Configuration XML
Files.
Note: Although Hyperion products include XML files that can be configured separately for external authentication, we
strongly recommend simplifying the configuration by using Hyperion Hub.
Adding or Editing an LDAP or Active Directory Provider
Use the Configuration Console to add and configure LDAP or Active Directory providers for
external authentication. You can also configure existing providers.
Note: When you use Hub Configuration Console to make changes to external authentication, Configuration Console
updates the CSS.xml file located at: HUB\deployments\Tomcat\4.1.18\CSS.xml, where HUB
represents the directory where Hyperion Hub was installed.
To add an LDAP or Active Directory provider, go to the External Authentication Configuration
section of Hub Configuration Console, click Add, choose the provider type, and complete the
following tasks.
Naming the Provider Configuration (Required) on page 21
Specifying Host Name, Port Number, and Base DN (Required) on page 21
Setting a Read-Only User Account or Selecting an Anonymous Bind (Required) on
page 21
Specifying the Location of Users (Optional) on page 22
Specifying the Location of Groups (Optional) on page 22
Specifying the Provider Trust Setting (Optional) on page 22
Setting Maximum Result-Set Size (Optional) on page 24
Setting Authorization Type (Optional) on page 24
Completing the Configuration (Required) on page 24
To edit an existing provider, click Edit instead of Add, and complete any relevant tasks listed
above.
If you need additional help, click Help in the Configuration Console.
Adding or Editing an LDAP or Active Directory Provider 21
Naming the Provider Configuration (Required)
You must provide a configuration name for each external authentication provider. Provider
configuration names enable you to distinguish between multiple providers of the same type.
For example, two LDAP providers might be named ldapserver1 and ldapserver2.
Configuration names do not have to match actual server names.
To name the LDAP or Active Directory configuration:
1 In the Name field, enter a name (for example, ldapServer1 or ldapserver2).
2 Save the configuration or continue to the next section.
Specifying Host Name, Port Number, and Base DN
(Required)
You must indicate the address of the external authentication provider.
To specify the host information:
1 In the Hostname field, enter the name of the computer that hosts the LDAP or Active Directory repository.
For example, myHost2
2 In the Port field, enter the port number used by the LDAP or Active Directory repository.
For example, 389
3 In the Base DN field, enter the directory information tree (DIT) section of an LDAP or Active Directory URL.
You must include the domainComponent attributes (DCs).
For example, DC=company,DC=com
Setting a Read-Only User Account or Selecting an
Anonymous Bind (Required)
You must provide a default way for Hyperion products to connect to the external
authentication directories.
To provide a connection method:
1 Complete either one, but not both, of the following steps:
a. In the User DN, Password, and Confirm Password fields, enter the information pertaining
to a user account that has at least read access to the directory information tree (DIT)
specified in the Base DN field (for example, dc=company, dc=com).
This enables a Hyperion product to get user information from the LDAP or Active
Directory directory when a user attempts to log on to the Hyperion product using external
credentials.
b. If the administrator has configured the directories to provide anonymous access to the
directory information tree, check Anonymous bind.
Specifying the Location of Users (Optional)
You can optionally identify the location where users are stored in the directory information
tree.
If you want the provider to search the whole directory specified by the Base DN, then skip this
section.
To provide the user location:
1 In the User URL field, enter a value that indicates the branch in the directory server that contains user
entries.
For example, ou=People
2 Save the configuration.
Specifying the Location of Groups (Optional)
You can optionally identify the location where groups are stored in the directory information
tree.
If you want the provider to search the whole directory specified by the Base DN, then skip this
section.
To provide the group location:
1 In the Group URL field, enter a value that indicates the branch in the directory server that contains group
entries.
For example, ou=Groups
2 Save the configuration.
Specifying the Provider Trust Setting (Optional)
To specify the provider trust setting, leave the Trusted check box empty if this is not a trusted
LDAP or Active Directory provider, or check the box if this is a trusted provider.
If the trust setting is true, a password is not present or required in the token generated
upon user authentication. The user still must log in with a user name and password, but the
password is not stored in the token.
Adding or Editing an LDAP or Active Directory Provider 23
Note: For an explanation of tokens, see About Single Sign-On on page 8.
If the trust setting is false, a password is part of the token, and this is required for this
NTLM provider.
Note: If your corporation uses a security agent such as Netegrity SiteMinder to protect company Web resources, the
provider must be trusted. For more information, see Chapter 6, Setting Up the Environment for Netegrity Single
Sign-On.
More Information: Trusted vs. Not Trusted
Trust, when set to TRUE, means that the user credentials found in a token received by a
Hyperion application will not be validated against the external authentication repository. This
quickens the authentication process.
When trust is set to TRUE in a single sign-on scenario, these actions occur:
1. Hyperion application 2 receives a token from another Hyperion application 1 that
launches it. The password is not part of the token.
2. Hyperion application 2 sends the token to the single sign-on mechanism.
3. The single sign-on mechanism validates that the token is constructed properly (token
decryption and read are successful).
4. The single sign-on mechanism validates that the token has not timed out.
5. The single sign-on mechanism extracts the identity from the token and validates that it
exists within the authentication providers.
6. The single sign-on mechanism confirms that the user exists within the authentication
providers.
7. The single sign-on mechanism returns the identity string to Hyperion application 2 to
complete authentication.
When trust is set to FALSE in a single sign-on scenario, additional steps are taken (steps 4-6 are
unique to untrusted providers):
1. Hyperion application 2 receives a token from another Hyperion application 1 that
launches it. The password is part of the token.
2. Hyperion application 2 sends the token to the single sign-on mechanism.
3. The single sign-on mechanism validates that the token is constructed properly (token
decryption and read are successful).
4. The single sign-on mechanism validates that the token has not timed out.
5. The single sign-on mechanism extracts the identity and password from the token.
6. The single sign-on mechanism validates the user and the password against the
authentication providers indicated in the configuration.
7. The single sign-on mechanism receives an approval or denial to authenticate from the
authentication provider.
8. The single sign-on mechanism returns the identity string to Hyperion application 2 to
complete authentication.
Setting Maximum Result-Set Size (Optional)
You can set the maximum number of entries that can be returned as a result of a request to the
authentication provider (for example, a request by a Hyperion application to list users available
for login).
To set the maximum result-set size for an LDAP or Active Directory provider:
1 In the Maximum Size field, enter the desired maximum number of entries that can be returned in a query.
If the Maximum Size field is left empty, the default value is 100.
If the Maximum Size field is set to 0, the allowed result-set size is unlimited. This may not be
advisable, because on very large query results, it might consume too much memory.
Setting Authorization Type (Optional)
This configuration topic is relevant if you are using the Secure Sockets Layer (SSL) protocol for
secure data transmission to and from the authentication provider.
To set the authorization type:
1 In the Authorization Type drop-down list box, leave the default value of Simple, or select SSL enabled if
you will implement Secure Sockets Layer.
2 Continue to the next section.
3 For more information, see Chapter 7, Using Secure Sockets Layer (SSL).
Completing the Configuration (Required)
Click Save to commit your configuration changes. Hyperion Hub writes your configuration
changes to the CSS.xml file.
Adding or Editing an NT LAN Manager Provider
Use the Configuration Console to add and configure Windows NT LAN Manager providers for
external authentication. You can also configure existing NT LAN Manager providers.
Adding or Editing an NT LAN Manager Provider 25
Note: When you use Hub Configuration Console to make changes to external authentication, Configuration Console
updates the CSS.xml file located at: HUB\deployments\Tomcat\4.1.18\CSS.xml, where HUB
represents the directory where Hyperion Hub was installed.
To add an NT LAN Manager provider, go to the External Authentication Configuration section
of Hub Configuration Console, click Add, select NTLM, and complete the following tasks.
Naming the Provider Configuration (Required) on page 25
Specifying the Domain (Optional) on page 25
Specifying a Remote Authentication Module Location (Optional) on page 26
Specifying the Provider Trust Setting (Optional) on page 26
Setting Maximum Result-Set Size (Optional) on page 26
Completing the Configuration (Required) on page 27
To edit an existing provider, click Edit instead of Add, and complete any relevant tasks listed
above.
If you need additional help, click Help in the Configuration Console.
Click Save often to commit your configuration changes to the CSS.xml file.
Naming the Provider Configuration (Required)
You must provide a configuration name for each external authentication provider. Provider
configuration names enable you to distinguish between multiple providers of the same type.
For example, two NT LAN Manager providers might be named ntlmserver1 and
ntlmserver2.
Configuration names do not have to match actual server names.
To name the NT LAN Manager configuration:
1 In the Name field, enter a name (for example, ntlmServer or ntlmserver2).
Specifying the Domain (Optional)
If a domain is specified, then the NT LAN Manager provider is responsible for performing
operations on that domain. Alternatively, if the domain element is left empty, then the provider
performs operations on all the trusted domains.
To specify the NT LAN Manager domain:
1 In the Domain field, enter the domain name (for example, HYPERION). You must use the correct name of
the Windows domain your company uses as an authentication provider.
Specifying a Remote Authentication Module Location
(Optional)
This step applies only if you will support either of the following groups:
UNIX application users who need to log in using a Windows domain. For more
information, see UNIX Application Support for NT LAN Manager on page 18.
Windows users who need to log in using more than one Windows domain although there
are no trust relationships set up. For more information, see Multiple-Domain Support for
NT LAN Manager on page 18.
To specify the location of the Hyperion Remote Authentication Module:
1 In the Host name field, enter the correct host name of the Remote Authentication Module.
2 In the Port field, enter the port number on which the Remote Authentication Module runs. The default port
number is 58000.
The Remote Authentication Module and its documentation are available on the Hyperion
Download Center.
Specifying the Provider Trust Setting (Optional)
To specify the provider trust setting, leave the Trusted check box empty if this is not a trusted
NT LAN Manager provider, or check the box if this is a trusted provider.
If the trust setting is true, a password is not present or required in the token generated
upon user authentication. The user still must log in with a user name and password, but the
password is not stored in the token.
If the trust setting is false, a password is part of the token, and this is required for this
NTLM provider.
Note: If your corporation uses a security agent such as Netegrity SiteMinder to protect company Web resources, the
provider must be trusted. For more information, see Chapter 6, Setting Up the Environment for Netegrity Single
Sign-On.
See also More Information: Trusted vs. Not Trusted on page 23.
Setting Maximum Result-Set Size (Optional)
You can set the maximum number of entries that can be returned as a result of a request to the
authentication provider (for example, a request by a Hyperion application to list users available
for login).
Setting the Token Time-out 27
To set the maximum result-set size for an NT LAN Manager provider:
In the Maximum Size field, enter the desired maximum number of entries that can be returned
in a query.
If the Maximum Size field is left empty, the default value is 100.
If the Maximum Size field is set to 0, no results are returned.
Note: The above statement is true only for NT LAN Manager. When you use LDAP or Active Directory, a maximum size of
0 means that the result-set size is unlimited.
Completing the Configuration (Required)
Click Save to commit your configuration changes. Hyperion Hub writes your configuration
changes to the CSS.xml file.
Setting the Search Order
The search order provides the external authentication mechanism with the ability to access
multiple providers in a sequential manner. At least one provider must be in the search order.
To set the search order of authentication providers:
1 In the Hub Console Defined Providers list, select a provider and do any of the following actions:
a. Click Add to place a provider in the search order. If any provider is left out of the search
order, that provider cannot be used for authentication.
b. Click Move Up to give the provider a higher priority in the search order. The first priority
is 1.
It would make sense to place the provider containing the most users of Hyperion
applications first in the search order, if that information is known.
c. Click Move Down to give the provider a lower priority in the search order. The last priority
is represented by the highest number.
d. Click Remove to remove a provider from the search order.
At least one provider must remain in the search order. Any providers you remove from the
search order will not be included as potential authentication sources.
2 Click Save to commit your configuration changes. Hyperion Hub writes your configuration changes to the
CSS.xml file.
Setting the Token Time-out
When an externally authenticated user logs in to a Hyperion application, a token is generated
to contain the login credentials. You can configure the token to expire after a specified number
of minutes, instead of the default of 480 minutes (8 hours).
To define the length of time a token is valid:
1 In the Additional Configuration section of the Hub Console, locate the Token Timeout field.
2 In the Token Timeout field, enter the number of minutes that should pass before a user is required to re-
authenticate.
CSS.xml file.
Configuring the Preferred Logging Priority
You can adjust the level of authentication-related messages you want all participating Hyperion
applications to log.
To configure the error level setting for applications supporting external authentication and
single sign-on:
1 In the Additional Configuration section of the Hub Console, locate the Logging Level field.
2 In the Logging Level drop-down list box, select the level of reporting that you want Hyperion applications to
use when logging external authentication activities.
In the following table of valid values, each level is inclusive of the levels below it:
The name of the log file is HyperionCSS.log, and it is stored in the temp directory of the
operating system.
CSS.xml file.
Additional Configuration Elements
The following optional configuration elements are not currently available using the Hyperion
Hub console. If you need to use any of the following configuration elements, you must edit the
Hyperion Hub CSS.xml file directly using a text editor. Do not edit the file until after you have
completed the preliminary configuration using the Hyperion Hub console. Additionally, we
recommend backing up the existing CSS.xml file before editing it directly.
Table 3 Description of Logging Levels
DEBUG Includes extensive information useful for debugging
INFO Includes information on the status of operations and requests
WARN Includes cautionary information, if relevant, for some operations and requests
ERROR Includes only statements pertaining to failed operations and requests
FATAL Includes only information about errors that result in a disconnection
Additional Configuration Elements 29
The CSS.xml file is located at:
HUB\deployments\Tomcat\4.1.18\CSS.xml
where HUB represents the directory where Hyperion Hub was installed.
Caution! Be sure to save your changes to the CSS.xml file before closing the text editor and before using
the Hyperion Hub console again.
Before continuing, it is recommended that you examine the structure of the sample CSS.xml
files in Appendix 10, Sample Configuration XML Files.
This section contains the following topics:
User Login Attribute (Optional, LDAP/MSAD Only) on page 29
User First-name Attribute (Optional, LDAP/MSAD Only) on page 30
User Surname Attribute (Optional, LDAP/MSAD Only) on page 31
User E-mail Attribute (Optional, LDAP/MSAD Only) on page 31
Custom User Object-Class Entries (Optional, LDAP/MSAD Only) on page 32
Group Name Attribute (Optional, LDAP/MSAD Only) on page 33
Custom Group Object-Class Entries (Optional, LDAP/MSAD Only) on page 33
Referral Support (Optional, MSAD Only) on page 34
User Login Attribute (Optional, LDAP/MSAD Only)
You can use the user login attribute to specify a directory attribute that uniquely identifies all
relevant user entries.
To configure the user login attribute:
1 Add a User section to the appropriate Provider section of the XML if one does not exist, and add a
loginAttribute element to the User section. The tags should be nested as follows, with the additions
shown in bold:
<spi>
<provider>
<ldap name="ldapserver">
...
<user>
<loginAttribute></loginAttribute>
</user>
...
</ldap>
</provider>
<spi>
2 Between the <loginAttribute></loginAttribute> tags, enter the value of an attribute in the
directory that uniquely identifies user entries.
The attribute may be part of the DN, such as cn or uid, or a customized attribute, such as
employee_ID, or any other attribute commonly used in the directory nodes of users. If the
<loginAttribute> section is deleted, the default value is cn.
The following sample configuration states that the user names in which we are interested are
using the common name attribute:
<loginAttribute>cn</loginAttribute>
The sample above is correct if it is true that all user names are identified by
cn = UserName, as is Autumn Smith in the following LDAP browser view of a corporate
directory store:
The above example highlights a subset of the DN. However, the loginAttribute property
can instead refer to an attribute under the directory node for the user; for example,
loginAttribute can point to uid, as shown in the following entry detail:
3 Save the CSS.xml file.
User First-name Attribute (Optional, LDAP/MSAD Only)
You can use the first-name attribute to specify the directory attribute that is associated with
first-name entries in the directory.
To configure the user first-name attribute:
1 Add a User section to the appropriate Provider section of the XML if one does not exist, and add a
fnAttribute element to the User section. The tags should be nested as follows, with the additions
shown in bold:
<spi>
<provider>
...
<user>
<fnAttribute></fnAttribute>
</user>
...
</ldap>
</provider>
<spi>
2 Between the <fnAttribute></fnAttribute> tags, enter the value of an attribute that is
associated with first-name entries in the directory. If the fnAttribute element is not used, the default
value for the first-name attribute is givenname.
User Surname Attribute (Optional, LDAP/MSAD Only)
You can use the surname attribute to specify the directory attribute that is associated with last-
name entries in the directory.
To configure the user surname attribute:
1 Add a User section to the appropriate Provider section of the XML if one does not exist, and add an
snAttribute element to the User section. The tags should be nested as follows, with the additions
shown in bold:
<spi>
<provider>
...
<user>
<snAttribute></snAttribute>
</user>
...
</ldap>
</provider>
<spi>
2 Between the <snAttribute></snAttribute> tags, enter the value of an attribute that is
associated with last-name entries in the LDAP directory. If the surname attribute is not used, the default
value is sn.
User E-mail Attribute (Optional, LDAP/MSAD Only)
You can use the e-mail attribute to specify the directory attribute that is associated with e-mail
addresses stored as entries in your corporate directory.
To configure the user e-mail attribute:
1 Add a User section to the appropriate Provider section of the XML if one does not exist, and add an
emailAttribute element to the User section. The tags should be nested as follows, with the additions
shown in bold:
<spi>
<provider>
...
<user>
<emailAttribute></emailAttribute>
</user>
...
</ldap>
</provider>
<spi>
2 Between the <emailAttribute></emailAttribute> tags, enter the value of an attribute that is
mapped to e-mail addresses stored in your corporate directory. If the e-mail attribute is not used, the
default value is mail.
Custom User Object-Class Entries
(Optional, LDAP/MSAD Only)
You can add custom elements to the CSS.xml file if your corporate directory schema requires
specialized object classes to describe users, and those object classes are not present in the
existing entries.
To add custom user object classes:
1 Add a User section to the appropriate Provider section of the XML if one does not exist, and add one or
more objectclass and entry elements to the User section. The tags should be nested as follows,
with the additions shown in bold:
<spi>
<provider>
...
<user>
...
<objectclass>
<entry></entry>
</objectclass>
...
</user>
...
</ldap>
</provider>
<spi>
2 Add a value to each <entry> element.
The provided (default) user object classes for LDAP are person, organizationalPerson,
and inetOrgPerson.
The provided (default) user object classes for Active Directory are person,
organizationalPerson, and user.
Group Name Attribute (Optional, LDAP/MSAD Only)
You can use the group name attribute to specify a directory attribute that uniquely identifies all
relevant group entries.
To configure the group name attribute:
1 Add a Group section to the appropriate Provider section of the XML if one does not exist, and add a
nameAttribute element to the Group section. The tags should be nested as follows, with the additions
shown in bold:
<spi>
<provider>
...
<group>
<nameAttribute></nameAttribute>
</group>
...
</ldap>
</provider>
<spi>
2 Between the <nameAttribute></nameAttribute> tags, enter the value of an attribute in the
corporate directory through which a group entry can be discovered. If the group name attribute is not used,
the default value is cn.
For example, following configuration means that the group names containing the relevant user
entries are using the Common Name attribute:
<nameAttribute>cn</nameAttribute>
Custom Group Object-Class Entries
(Optional, LDAP/MSAD Only)
You can add custom elements to the CSS.xml file if your corporate directory schema requires
specialized object classes to describe groups, and those object classes are not present in the
existing entries.
To add custom group object classes:
1 Add a Group section to the appropriate Provider section of the XML if one does not exist, and add one or
more objectclass and entry elements to the Group section. The tags should be nested as follows,
with the additions shown in bold:
<spi>
<provider>
...
<group>
...
<objectclass>
<entry></entry>
</objectclass>
...
</group>
...
</ldap>
</provider>
<spi>
2 Add a value to each <entry> element.
The provided (default) group object classes for LDAP are
groupofuniquenames?uniquemember and groupOfNames?member.
The provided (default) group object class for Active Directory is group?member.
For additional entries you make, the <entry> tag values must be of the format
ObjectClassName?AttributeName
For example:
<entry>group?member</entry>
where group is the name of the objectClass and member is the attribute that holds the
distinguished Name of the member of this group.
Referral Support (Optional, MSAD Only)
The <property></property> element enables the use of referrals in Microsoft Active Directory.
Microsoft Active Directory referral entries are ignored unless this setting is added to the
configuration file.
To add support for referrals:
1 Add a Property section to the end of the msad provider section of the XML, following the closing <group>
tag. Include the keys and values shown. The tags should be nested as follows, with the additions shown in
bold:
<spi>
<provider>
<msad name="msadServer">
...
<user>
...
</user>
<group>
...
</group>
<property>
<key>com.hyperion.css.followReferral</key>
<value>true</value>
</property>
</msad>
Notes About User and Group Names 35
</provider>
<spi>
Verifying a Correct Configuration
To verify that you correctly configured Hyperion Hub for external authentication:
1 Restart Hub and log in again.
2 Go to the Security > Manage Users and Groups section of the console, and click the Users tab.
3 Select a provider from the drop-down list.
4 Add an external user. For instructions, see the Configuration Console Help.
If configuration was successful, users will be found in the external authentication providers
and displayed in the console.
If any provider in the search order was configured incorrectly, a message will request that you
correct the external-authentication configuration.
Note: Verification applies only to the provider configurations which you added to the search order. If a provider
configuration is marked Not Used in the Hub Configuration Console, that means you have not added it to the
search order, and verification is not done.
If you need more help completing the above steps, click Help in the Hub Configuration
Console.
Notes About User and Group Names
@ is a reserved character that is used to delineate the user name or group name from the
provider name.
For example:
username@providerName => jblow@ntlmServer
groupname@providerName => marketing@ntlmServer
If a user name or group name contains @, the characters following the @ are considered to be
the name of a provider registered in the search order.
If such a provider name does not exist, an error message is returned.
Additionally, any character reserved for LDAP search filters or DNs may not be used for LDAP
or MSAD user/group names, with the exception noted below. The list of reserved characters is
published as RFC 2254, and is summarized below:
Reserved for LDAP search filters:
*
(
)
\
NUL
Reserved for LDAP DNs:
, (comma)
=
+
<
>
;
\
"
#
SPACE
Exception: The MSAD provider allows user and group names containing the comma. All the
other characters listed above are not supported as part of user or group names or as part of the
DN.
Configuring Hyperion Products for External Authentication 37
C h a p t e r
5
Configuring Hyperion Products
for External Authentication
This chapter explains to administrators how to configure each Hyperion product to support
authentication of users that are stored in LDAP, Active Directory, or Windows NT LAN
Manager (NTLM) external-authentication providers. Configuration also enables single sign-
on, the ability to access multiple Hyperion products after logging on only once using external
credentials.
This chapter assumes that you have already configured Hyperion Hub for external
authentication as described in Chapter 4, Configuring Hyperion Hub for External
Authentication.
In this chapter, the products are discussed in alphabetical order.
In This Chapter Hyperion Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Hyperion Application Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Hyperion Business Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Hyperion Business Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Hyperion Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Hyperion Essbase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Hyperion Financial Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Hyperion Metrics Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Hyperion Performance Scorecard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Hyperion Performance Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Hyperion Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Hyperion Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Hyperion SQR and Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Hyperion Strategic Finance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Hyperion Translation Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
38 Configuring Hyperion Products for External Authentication
Hyperion Analyzer
This topic contains the following sections:
Environment Setup Requirements on page 38
Referencing the Hub Configuration on page 38
Configuring for SiteMinder Single Sign-On on page 39
Environment Setup Requirements
Copy the following Java Cryptography Extension (JCE) archives from the
..\hyperion\analyzer\css directory to the application server Java Runtime Environment
\lib\ext directory:
jce1_2_2.jar
local_policy.jar
sunjce_provider.jar
US_export_policy.jar
Note: If these files already exist at this location, do not overwrite them.
Referencing the Hub Configuration
To enable Analyzer to use Hub configuration for external authentication, you must specify the
path to the Hub configuration.
To enable external authentication and specify the path to the Hub configuration:
1 Within the <Analyzer home>\conf directory, open the Analyzer.properties file using a text
editor.
2 To enable external authentication, set the UseCSS entry to TRUE.
UseCSS=true
3 To set the path to the Hub configuration that you completed in Chapter 4, Configuring Hyperion Hub for
External Authentication, give the Hub URL as a value to the CSSConfig entry.
The URL format must be as follows:
http://<Server>:<Port>/interop/framework/getCSSConfigFile
For example, modify the CSSConfig entry as follows:
CSSConfig=http://hubserver:58080/interop/framework/getCSSConfigFile
4 Save the Analyzer.properties file.
The specified path is displayed in the External tab Configuration File field.
Hyperion Application Builder 39
Configuring for SiteMinder Single Sign-On
To implement SiteMinder authentication with Hyperion Analyzer,
1 Complete the Hub configuration steps as detailed in Chapter 6, Setting Up the Environment for Netegrity
Single Sign-On.
2 Because all implementations do not use Web Access Management Solutions such as Netegrity SiteMinder,
you must also edit the Analyzer.jsp and the Administrator.jsp files. Two jsp parameters have
been commented out in each file, and must be uncommented before SiteMinder can be used. Search for
the following parameters, remove only the comment marks (<%-- and --%>), and save the jsp files.
<%-- <param name = securityAgentToken value ="<%=
com.hyperion.analyzer.utils.general.HYAURLParamHandler.getSecurityAgentT
okenParam(request, application) %>"> --%>
<%-- <param name = siteMinderSession value ="<%=
com.hyperion.analyzer.utils.general.HYAURLParamHandler.getSiteMinderSess
ion(request, response) %>"> --%>
Hyperion Application Builder
To enable Hyperion Application Builder to use Hub configuration for external authentication,
you must configure the application server and specify the path to the Hub configuration.
Configuring the Application Server on page 39
Referencing the Hub configuration on page 42
Configuring the Application Server
To enable Application Builder to use external authentication, you must edit the application
server web.xml file. The web.xml file is contained in the hab-samples.war file. As a default,
web.xml is set for J2EE security.
To edit the web.xml file
1 Remove the comments for the WAACssAuthenticationServlet to enable SSO security. The
WAACssAuthenticationServlet emulates the J2EE application servers authentication. The
following snippet shows the code to uncomment:
<filter>
<filter-name>WAACssAuthenticationServletFilter</filter-name>
<display-name>CSS Authentication Servlet Filter</display-name>
<description>Servlet filter that simulates J2EE authentication
against CSS</description>
<filter-
class>com.hyperion.waa.web.core.WAACssAuthenticationServletFilter</filte
r-class>
<init-param>
<param-name>AuthMethod</param-name>
<param-value>FORM</param-value>
<description>Provides the authentication method</description>
</init-param>
<init-param>
<param-name>RealmName</param-name>
<param-value>Hyperion Application Builder</param-value>
<description>Provides the realm name</description>
</init-param>
<init-param>
<param-name>FormLoginPage</param-name>
<param-value>/jsp/waa/admin/core/ADMINLogonPage.jsp</param-
value>
<description>Provides the form login page for
authorization</description>
</init-param>
<init-param>
<param-name>FormErrorPage</param-name>
<param-
value>/jsp/waa/admin/core/ADMINLogonErrorPage.jsp</param-value>
<description>Provides the form error page for
</init-param>
<init-param>
<param-name>RoleNames</param-name>
<param-value>HAB_Admin</param-value>
<description>Provides a comma delimited list of role names that
can access the resources being filtered</description>
</init-param>
<init-param>
<param-name>CssConfigFileName</param-name>
<param-value>/WAACss.xml</param-value>
<description>Provides the CSS configuration filename for
</init-param>
<init-param>
<param-name>SecurityProviderClassNames</param-name>
<param-value>com.sun.crypto.provider.SunJCE</param-value>
<description>A comma delimited list of class names of security
providers to register (needed for WebLogic)</description>
</init-param>
</filter>
2 Uncomment the <filter-mapping> entries:
<filter-mapping>
<servlet-name>ADMINApplicationServlet</servlet-name>
</filter-mapping>
<filter-mapping>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<url-pattern>/j_security_check</url-pattern>
</filter-mapping>
<filter-mapping>
<servlet-name>WAARepositoryContentServlet</servlet-name>
Hyperion Application Builder 41
</filter-mapping>
<filter-mapping>
<servlet-name>ADMINInterOpServlet</servlet-name>
</filter-mapping>
3 Comment the <security-role-ref> entry:
<security-role-ref>
<description>User's with administrator rights</description>
<role-name>HAB_Admin</role-name>
<role-link>HAB_Admin</role-link>
</security-role-ref>

4 Comment the <security-constraint>, <login-config> and <security-role> entries:
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Application</web-resource-name>
<description>Protect all accessible servlets</description>
<url-pattern>/ADMINApplicationServlet</url-pattern>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Authorize known roles</description>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Hyperion Application Builder</realm-name>
<form-login-config>
<form-login-page>/jsp/waa/admin/core/ADMINLogonPage.jsp</form-
login-page>
<form-error-
page>/jsp/waa/admin/core/ADMINLogonErrorPage.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Users with limited rights</description>
<role-name>HAB_User</role-name>
</security-role>
<security-role>
<description>Users with administrator rights</description>
</security-role>
<security-role>
<description>Users with read-write data access
rights</description>
<role-name>HAB_Analyst</role-name>
</security-role>
<security-role>
<description>Users with read-only data access
rights</description>
<role-name>HAB_Viewer</role-name>
</security-role>
Referencing the Hub configuration
To enable Hyperion Application Builder to use the Hyperion Hub configuration for external
authentication, you must point to the Hyperion Hub configuration in the application server
web.xml file. The web.xml file is contained in the hab-samples.war file.
To point to the Hyperion Hub configuration, give the URL of the Hyperion Hub configuration
as the value of the CSSConfigFileName parameter.
For example:
<init-param>
<param-name>CssConfigFileName</param-name>
<param-value>
http://hubsvr:58080//interop/framework/getCSSConfigFile
</param-value>
<description>
Provides the CSS configuration filename for authorization
</description>
</init-param>
Hyperion Business Modeling
Enabling Single Sign-on Between Hyperion Business Modeling and Other Hyperion
Products on page 43
URL access to the Hyperion Hub configuration file is not supported by Hyperion Business
Modeling at this time. Instead, you must provide a file path. The file path can be specified
during installation, or by modifying a line in the HBM_Config.properties file.
To provide the location of the Hyperion Hub configuration file, modify the following line in
HBM_Config.properties:
hyperion.abm.authentication_service.css_config_path=HUB_CSS_XML_FILE_LOC
where HUB_CSS_XML_FILE_LOC is the path to the Hyperion Hub CSS.xml file. For
example, if Hyperion Hub is on the same computer as Hyperion Business Modeling,
hyperion.abm.authentication_service.css_config_path=C:\Hub\CSS.xml
By referencing the Hyperion Hub configuration, it is not necessary to configure a separate
CSSconfig.xml file for Hyperion Business Modeling.
Hyperion Essbase 43
Enabling Single Sign-on Between Hyperion Business
Modeling and Other Hyperion Products
To configure the Hyperion Business Modeling Web application for single sign-on,
1 Identify the URL for each Hyperion product that is to be included in the single sign-on.
2 Link the products URL with the name that is to display on the main Web page for the application through
the Custom Tools window.
3 From the Preferences tab on the Home Page, select the Custom Tools tab.
4 Enter a Name for the link to the Hyperion application. This is the name that is displayed on the Hyperion
Business Modeling Home Page. Keep the short name meaningful so it is readily identified, such as
Hyperion Planning or Hyperion Performance Scorecard. The name cannot exceed 50 characters.
5 Enter the complete URL for the selected Web page, to a maximum of 200 characters. Do not include any
session-specific portion of the URL, as that Web page will not be displayed the next time you log on since
the same session no longer exists.
Note: For links to other Hyperion products only, you must also append a Single Sign-on token string to identify that
Hyperion product and enable single sign-on. In the link to the products login page, add %SSO_TOKEN% to the
end of the login page, as shown in the following example:
http://server1:8300/HyperionPlanning/PlanningCentral.jsp%SSO_TOKEN%&App
lication=HP_Comma
6 Select All from the Visibility drop-down list. This selection indicates that the global tool is available to all
model builders and end users of Hyperion Business Modeling.
7 Click Save to save the information. The link to the Hyperion product is displayed the next time a user logs
on to the Home Page.
Hyperion Business Rules
External authentication for Hyperion Business Rules is automatically enabled by the
configuration of Essbase Administration Services.
Hyperion Enterprise
For instructions on configuring Hyperion Enterprise, see the Hyperion Enterprise
documentation. Hyperion Enterprise does not currently support references to a Hyperion Hub
configuration URL.
Hyperion Essbase
Essbase Analytic Services on page 44
Essbase Administration Services on page 49
Essbase Deployment Services on page 51
Essbase Spreadsheet Services on page 52
Essbase Integration Services on page 52
Essbase Analytic Services
Known Limitations on page 44
Environment Setup Requirements on page 45
Searching for Users on page 49
Known Limitations
If you use Hybrid Analysis, you must use untrusted directories.
To enable Analytic Services to use Hub configuration for external authentication, you must add
the AUTHENTICATIONMODULE setting to the essbase.cfg configuration file located in
the bin directory of the Analytic Services installation. The configuration applies to all
applications and databases defined on the Analytic Server.
A default essbase.cfg file is created during installation.
To edit the essbase.cfg configuration file:
1 Open the file in any text editor, such as Windows Notepad.
2 Enter the AUTHENTICATIONMODULE setting and its parameters on a single line in the file. For details, see
AUTHENTICATIONMODULE Setting on page 44
3 Save the file in the essbase\bin directory.
4 Stop and restart Analytic Services after changing the configuration file.
Note: To provide support for the security platform, the parameters for AUTHENTICATIONMODULE have been expanded.
Therefore, use this documentation to enable external authentication, rather than using the
AUTHENTICATIONMODULE documentation in the Analytic Services documentation.
AUTHENTICATIONMODULE Setting
The AUTHENTICATIONMODULE setting specifies the configuration needed to enable the
Analytic Server to use the security platform.
Hyperion Essbase 45
Syntax
AUTHENTICATIONMODULE module URL
Notes
You must restart Analytic Server to initialize the changes. Hyperion Hub must be running
before you restart Analytic Server, in order for URL to be found.
Use standard URL encoding whenever you refer to the Hyperion Hub configuration. For
example, the URL encoded value for a space is %20, so if the URL contains spaces, replace them
with %20.
Example
The following example should be all on one line in the essbase.cfg file.
AUTHENTICATIONMODULE CSS
http://hubserver:58080/interop/framework/getCSSConfigFile
Environment Setup Requirements
To enable the security platform for Analytic Services, you must set library-path environment
variables to specify the location of the Java and JVM shared libraries. On Solaris, you must also
set an ESS_CSS_JVM_OPTION.
Analytic Services packages the Java
TM
Runtime Environment (JRE) with all supported
platforms. For the latest JRE version information and installation instructions, see the Essbase
Installation Guide, and also check the Readme.
Windows Instructions on page 45
Solaris Instructions on page 46
Linux Instructions on page 47
AIX Instructions on page 47
HP-UX Instructions on page 48
Windows Instructions
On Windows NT, Windows 2000, or Windows 2003, set the PATH environment variable to
specify the location of the Java shared library jvm.dll found beneath the HYPERION_HOME
directory. Replace HYPERION_HOME with its value on your computer; for example,
C:\Program Files\Hyperion.
module
An acronym that tells Analytic Services to use the Hyperion security platform. Use the following value: CSS
URL The URL to the location of the security-platform configuration XML file hosted by Hyperion Hub. The URL format must be as
follows:
Examples
Add the following to the PATH specification:
set PATH=%HYPERION_HOME%\common\JRE\Sun\1.4.1\bin\server;%PATH%
If you are using the Korn shell, add the following text (all on one line) to your setup script:
export PATH=$HYPERION_HOME\common\JRE\Sun\1.4.1\bin\server;$PATH
Solaris Instructions
On Solaris, set LD_LIBRARY_PATH to specify the locations of the Java shared libraries
libjava.so and libjvm.so.
If you are using JRE 1.4.1, only version 1.4.1.01 is currently supported on Solaris.
Examples
In the C shell, add the following text (all one line) to the .cshrc file:
setenv LD_LIBRARY_PATH
"$HYPERION_HOME/common/JRE/Sun/1.4.1/lib/sparc/server:$HYPERION_HOME/com
mon/JRE/Sun/1.4.1/lib/sparc:$LD_LIBRARY_PATH"
In the Bourne or Korn shell, add the following text (all one line) to the .profile file:
export
LD_LIBRARY_PATH="$HYPERION_HOME/common/JRE/Sun/1.4.1/lib/sparc/server:$H
YPERION_HOME/common/JRE/Sun/1.4.1/lib/sparc:$LD_LIBRARY_PATH"
Note: On Solaris, the symbolic link for the JVM is set to the client version by default. To enable the security platform, you
must do one of the following: Either change the symbolic link to the server version as detailed in the Installation
Guide, or make sure that in LD_LIBRARY_PATH, $HYPERION_HOME/common/JRE/Sun/1.4.1/lib/sparc/server is
listed before $HYPERION_HOME/common/JRE/Sun/1.4.1/lib/sparc, as in the above example.
Additional Solaris Instructions
On Solaris, if you are using JRE version 1.4.1_01, you need to set an ESS_CSS_JVM_OPTION
environment variable to use a special Java argument, Xusealtsigs.
ESS_CSS_JVM_OPTION1 through ESS_CSS_JVM_OPTION9 are available for setting options
for the Java Virtual Machine on Analytic Services.
Note: This is a requirement for the Analytic Services application process, and not specifically for the security platform.
This requirement applies only to JRE version 1.4.1_01 on Solaris, and is not applicable to other JRE versions on
Solaris.
Examples
In the C shell, add the following text to the .cshrc file:
setenv ESS_CSS_JVM_OPTION1 "-Xusealtsigs"
Hyperion Essbase 47
In the Bourne or Korn shell, add the following text to the .profile file:
ESS_CSS_JVM_OPTION1=-Xusealtsigs;
export ESS_CSS_JVM_OPTION1;
If you are using JRE version 1.3, you need to set an ESS_CSS_JVM_OPTION environment
variable to use a special Java argument, -XX:+AllowUserSignalHandlers.
ESS_CSS_JVM_OPTION1 through ESS_CSS_JVM_OPTION9 are available for setting options
for the Java Virtual Machine on Analytic Services.
Note: This is a requirement for the Analytic Services application process, and not specifically for the security platform.
This requirement applies only to JRE version 1.3 on Solaris, and is not applicable to other JRE versions on Solaris.
Examples
In the C shell, add the following text to the .cshrc file:
setenv ESS_CSS_JVM_OPTION1 "-XX:+AllowUserSignalHandlers"
ESS_CSS_JVM_OPTION1=-XX:+AllowUserSignalHandlers;
export ESS_CSS_JVM_OPTION1;
Linux Instructions
On Linux, set LD_LIBRARY_PATH to specify the locations of the Java shared libraries
libjava.so and libjvm.so.
Examples
In the C shell, add the following text (all on one line) to the .cshrc file:
setenv LD_LIBRARY_PATH
"$HYPERION_HOME/common/JRE/Sun/1.4.1/lib/i386:$HYPERION_HOME/common/JRE/
Sun/1.4.1/lib/i386/server:$LD_LIBRARY_PATH"
export
LD_LIBRARY_PATH="$HYPERION_HOME/common/JRE/Sun/1.4.1/lib/i386:$HYPERION_
HOME/common/JRE/Sun/1.4.1/lib/i386/server:$LD_LIBRARY_PATH"
AIX Instructions
On AIX, set LIBPATH to specify the location of the Java shared library libjava.a.
Examples
setenv LIBPATH "$HYPERION_HOME/common/JRE/IBM/1.4.1/bin:$LIBPATH"
In the Bourne or Korn shell, add the following text (all on one line) to the .profile file:
export LIBPATH="$HYPERION_HOME/common/JRE/IBM/1.4.1/bin:$LIBPATH"
HP-UX Instructions
On HP-UX, set SHLIB_PATH to specify the location of the Java shared libraries libjava.sl
and libjvm.sl.
Examples
setenv SHLIB_PATH
"$HYPERION_HOME/common/JRE/HP/1.4.1/lib/PA_RISC:$HYPERION_HOME/common/JR
E/HP/1.4.1/lib/PA_RISC/server:$SHLIB_PATH"
export
SHLIB_PATH="$HYPERION_HOME/common/JRE/HP/1.4.1/lib/PA_RISC:$HYPERION_HOM
E/common/JRE/HP/1.4.1/lib/PA_RISC/server:$SHLIB_PATH"
Additional HP-UX Instructions
The following requirements apply to setting up the Java Runtime Environment on HP-UX. JRE
is required if you want to use custom-defined functions, the security platform, or both.
If you are using JRE 1.4.1, only version 1.4.1.01 is currently supported on HP-UX.
To use JRE 1.4.1.01, you must set the environment variable LD_PRELOAD using a shell script
that you design for starting Analytic Services.
For example, create a script called startessbase.sh in $ARBORPATH/bin with the following
contents (for Bourne or Korn shell, and all on one line):
export LD_PRELOAD="$HYPERION_HOME/common/JRE/HP/1.4.1/lib/PA_RISC/
server/libjvm.sl"
$ARBORPATH/bin/ESSBASE
and start Analytic Services using the startup script, as follows:
cd $ARBORPATH/bin
./startessbase.sh
The following example of a startessbase.sh script is for the C shell:
setenv LD_PRELOAD "$HYPERION_HOME/common/JRE/HP/1.4.1/lib/PA_RISC/
server/libjvm.sl"
$ARBORPATH/bin/ESSBASE
Caution! Setting LD_PRELOAD in UNIX environment scripts such as .profile is not recommended,
as it may have side effects.
Caution! You must set LD_PRELOAD on HP-UX platforms if you are using the security platform;
otherwise, Analytic Services will terminate abnormally.
Hyperion Essbase 49
Searching for Users
Use Essbase Administration Services to search for and add externally authenticated users. See
Searching for Users in Administration Services on page 50.
You can also use the MaxL create user statement to add externally authenticated users.
However, there is no search feature when using MaxL.
Essbase Administration Services
Searching for Users in Administration Services on page 50
Setting Up BEA WebLogic 7.0.2 on page 50
To enable Administration Services to use the Hub configuration for external authentication,
you must edit the SECURITY_CONFIGURATION setting in the OlapAdmin.properties
file located in the eas\server directory of the Administration Services installation.
To edit the OlapAdmin.properties file:
2 Locate the SECURITY_CONFIGURATION setting and edit its value to point to the location of the security-
platform configuration XML file hosted by Hyperion Hub. The URL format must be as follows:
For example, the following entry should be all on one line in the OlapAdmin.properties
file:
SECURITY_CONFIGURATION=http://hubserver:58080/interop/framework/getCSSCo
nfigFile
Note: Use standard URL encoding whenever you refer to the Hyperion Hub configuration. For example, the URL encoded
value for a space is %20, so if the URL contains spaces, replace them with %20.
3 Save the file.
4 Stop and restart Administration Services after changing the configuration file.
Note: Hyperion Hub and Analytic Services must be running before you restart Administration Services, in order for the
Hub configuration to be found.
Searching for Users in Administration Services
To locate and add an externally authenticated user,
1 Using Administration Services Console, first create a user for Administration Services, and then create a
user for Analytic Services. For both users, use the Search feature to ensure that each user exists in the
external authentication repository.
Note: You can search using the wildcard character *. For example, b* would return all user IDs beginning with b.
2 Using Administration Services Console, add the properly configured Analytic Server to the Administration
Services user properties, and map the Administration Services user to the external Analytic Services user.
You can use the User Setup Wizard or the Administration Server User Properties window. For
detailed instructions, see Creating Users on Administration Servers in Essbase Administration
Services Online Help.
Note: When mapping the user, you do not need to enter a password because the user is externally authenticated.
3 Close and then reopen Administration Services Console.
4 Connect as the externally authenticated Administration Services user.
Setting Up BEA WebLogic 7.0.2
This section is applicable if you are using BEA WebLogic as the Web application server for
Administration Services. This step is required to prepare BEA WebLogic for external
authentication. If you have more than one instance of JRE installed, you need to configure the
instance that Administration Services uses.
If you are using the WebLogic 7.0.2 or WebLogic 7.0.2 Express as your Web application server,
you need to copy the Java Cryptography Extension (.jar) files to the JRE directory for your
WebLogic Web application server. If you are using WebLogic 8.1 or WebLogic 8.1 Express, you
do not need to follow the procedure in this section.
To prepare a WebLogic Web application server for external authentication,
1 Copy the following four.jar files
jce1_1_2.jar
local_policy.jar
sunjce_provider.jar
from the jce directory (for example, C:\hyperion\common\jce\1.2.2)
to the ext directory (for example, <application directory>jdk131_03\jre\lib\ext
or <application directory>jrockit70sp2_131\jre\lib\ext).
Hyperion Essbase 51
2 Open the java.security file from
<application_directory>\jdk131_03\jre\lib\security or
<application_directory>\jrockit70sp2_131\jre\lib\security
and make sure it has following two lines. If not, add the missing line(s) after the similar lines
specifying security providers.
security.provider.n=com.sun.rsajca.Provider
security.provider.n+1=com.sun.crypto.provider.SunJCE
where n is a unique number.
Essbase Deployment Services
Searching for Users in Deployment Services on page 52
To enable Deployment Services to use the Hub configuration for external authentication, you
must edit the nativeSecurity.css.config.file.name setting in the
Essbase.properties file located in the bin directory of the Deployment Services
installation.
To edit the Essbase.properties file:
2 Locate the nativeSecurity.css.config.file.name setting and edit its value to point to the
location of the security-platform configuration XML file hosted by Hyperion Hub. The URL format must be as
follows:
For example, the following entry should be all on one line in the Essbase.properties file:
nativeSecurity.css.config.file.name=http://hubserver:58080/interop/frame
work/getCSSConfigFile
Note: Use standard URL encoding whenever you refer to the Hyperion Hub configuration. For example, the URL encoded
value for a space is %20, so if the URL contains spaces, replace them with %20.
3 Save the file.
4 Stop and restart Deployment Services after changing the configuration file.
Note: Hyperion Hub must be running before you restart Deployment Services, in order for the Hub configuration to be
found.
Searching for Users in Deployment Services
1 Using the Deployment Servers node in Enterprise View in Essbase Administration Services Console, create
a user of type External. Use the Search feature to ensure that each user exists in the external
authentication repository.
Note: You can search using the wildcard character *. For example, b* would return all user IDs beginning with b.
Note: You do not need to enter a password when the user is externally authenticated.
2 Close and then reopen the Deployment Servers node in Enterprise View in Essbase Administration Services
Console.
3 Connect as the externally authenticated user.
Essbase Spreadsheet Services
External authentication for Essbase Spreadsheet Services is automatically enabled by the
configuration of Essbase Deployment Services.
Essbase Integration Services
External authentication is not relevant for Essbase Integration Services.
Hyperion Financial Management
To enable external authentication and single sign-on for Hyperion Financial Management, it is
recommended that you reference the Hub configuration.
Adding Externally Authenticated Users in Hyperion Financial Management on page 53
To reference the Hub configuration,
1 Stop the following processes:
HsxServer.exe
HSVDataSource.exe
Hyperion Metrics Builder 53
2 Using the registry editor, go to the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Hyperion Solutions\Hyperion Financial
Management\Server\Authentication
3 Update the ConnectionInfo setting with the URL of the Hub configuration.
For example,
4 Update the ProviderType setting with a value of 0. This tells Financial Management to use external
authentication.
5 Save the registry settings.
6 If Hyperion Financial Management is running as a service, stop and restart the service.
Adding Externally Authenticated Users in Hyperion Financial
Management
1 In the Win32 client, open the application for which you want to manage users.
2 Select Define Users and Groups from the desktop navigation frame.
3 Click .
4 In the Domain text box, it is recommended that you enter the NT LAN Manager domain, if applicable. If you
are adding a user from an LDAP or MSAD directory, leave the Domain text box blank.
5 In the User or Group text box, enter the externally authenticated user name. You must enter the entire user
name, because provider hints are not currently supported in Hyperion Financial Management.
6 Click OK.
Hyperion Metrics Builder
To reference the Hyperion Hub configuration for Hyperion Metrics Builder,
1 Before modifying the preference files, you must designate one user ID that you will continue to use as an
Editor. This user ID must exist in the external authentication directory.
If you choose to use the default Editor User ID that comes with Hyperion Metrics Builder,
which is also the owner of the metadata database, confirm that this user ID exists in the
external directories.
If you choose to set up a new user ID for the Editor, define the user ID in the Hyperion
Metrics Builder Security tool. This new user ID must have Editor privileges and must be
defined prior to changing the preference settings. This user ID must also be defined as a user
in the external authentication directories.
2 Locate the MetricsBuilder Server installation folder. For example,
<MetricsBuilderInstallationFolder>/MetricsBuilder/Server.
3 Open both the Analytic_server.prefs and Configuration_server.prefs files.
4 Add the following lines to the end of each of the files:
AUTH_METHOD=CSS
CSS.CONFIG_FILE=http://hubsvr:58080/interop/framework/getCSSConfigFile
In the example above, replace hubsvr with the Hyperion Hub server name, and replace 58080
with the port number on which Hyperion Hub runs.
5 Save the .prefs files.
6 Shut down and restart the Analytic Server.
7 Shut down and restart the Configuration Server.
8 Shut down and restart the Servlet JVM.
9 All users that need to access Hyperion Metrics Builder must be added into the Hyperion Metrics Builder
Security tool, using the Configuration Tool client. For more information, see the Metrics Builder
Configuration Guide.
Hyperion Performance Scorecard
For instructions on configuring Hyperion Performance Scorecard, see the Hyperion
Performance Scorecard documentation. Hyperion Performance Scorecard does not currently
support references to a Hyperion Hub configuration URL.
Hyperion Performance Suite
To reference the Hyperion Hub configuration for Hyperion Performance Suite,
1 Create an external AuthenticationSystem and assign it to use the Security Platform driver.
2 On the Define Driver Default Property Values screen, enter the URL for the Hyperion Hub external
authentication configuration.
For example,
3 Set the AuthenticationService to manage the AuthenticationSystem.
Hyperion Planning 55
4 Restart the CommonServices process.
Hyperion Planning
Setting Up BEA WebLogic on page 55
Configuring NTLM Authentication When the Web Application Server is on UNIX on
page 56
Enabling Single Sign-On Between Planning and Other Hyperion Products on page 56
To enable Hyperion Planning to use the Hyperion Hub configuration for external
authentication, you must provide the path to the Hyperion Hub configuration.
To reference the Hyperion Hub configuration:
1 On the computer hosting the Hyperion Planning server, run the HsxSysAdmin.msc file.
By default, this file is located in
C:\Hyperion\HyperionPlanning\Server
2 In the left frame of the Microsoft Management Console window, expand the Server Admin directory and
click System Properties.
3 In the right frame of the Microsoft Management Console window:
a. Right-click CSS Properties.
b. In the CSS Property Value text box, type the URL of the Hyperion Hub configuration. The
URL format must be as follows:
For example,
Hyperion Planning can now access the external authentication configuration used by Hyperion
Hub.
Setting Up BEA WebLogic
This section is applicable if you are using BEA WebLogic as the Web application server for
Hyperion Planning. This step is required to prepare BEA WebLogic for external authentication.
If you have more than one instance of JRE installed, you need to configure the instance that
Hyperion Planning uses.
If you are using the WebLogic 7.0.2 or WebLogic 7.0.2 Express as your Web application server,
you need to copy the Java Cryptography Extension (.jar) files to the JRE directory for your
WebLogic Web application server. If you are using WebLogic 8.1 or WebLogic 8.1 Express, you
do not need to follow the procedure in this section.
To prepare a WebLogic Web application server for external authentication,
1 Copy the following four.jar files
jce1_1_2.jar
local_policy.jar
sunjce_provider.jar
from the jce directory (for example, C:\hyperion\common\jce\1.2.2)
to the ext directory (for example, <application directory>jdk131_03\jre\lib\ext
or <application directory>jrockit70sp2_131\jre\lib\ext).
2 Open the INSTALL.HTML file, located in the jce1.2.2\doc directory on the Hyperion Planning CD,
and follow its instructions to register the JCE files for your Web application server.
Configuring NTLM Authentication When the Web Application
Server is on UNIX
When your Web application server is installed on a UNIX system, you need to copy the
HspJSHome.properties file (which the HspSetupSupport utility creates) to the UNIX
computer.
To move the HspJSHome.properties file:
1 Copy the HspJSHome.properties file from the Windows system to the UNIX system.
The location of the HspJSHome.properties file depends on your application server.
Here is a sample location on the Windows system:
c:\Hyperion\HyperionPlanning\Deployment\Tomcat\4.1.18\
webapps\HyperionPlanning\WEB-INF\classes
You can put the files anywhere on the UNIX system; just include the
HspJSHome.properties file in the CLASSPATH.
2 Save and upload the modified HspJSHome.properties file to the application folder (for example,
web-inf\lib) on the UNIX machine.
Enabling Single Sign-On Between Planning and Other
Hyperion Products
Setting Up Hyperion Planning for Signing On to Other Hyperion Products on page 57
Hyperion Planning 57
Setting Up Other Products for Signing On to Hyperion Planning on page 58
Setting Up Hyperion Planning for Signing On to Other Hyperion Products
If single sign-on is enabled (for more information, see About Single Sign-On on page 8),
users can launch other Hyperion products that also support single sign-on from links within
Hyperion Planning without having to log on again. You can set up links to launch to a
products Home page or to a more specific page, such as the SelectReport page in Hyperion
Reports.
To create links from Hyperion Planning to other Hyperion products:
1 From the Hyperion Planning Home page, click the Preferences link.
2 Select the Custom Tools tab.
3 In the Name text box, enter the name of the link that you want to display on the Hyperion Planning Home
page.
For example: Select a Report in Hyperion Reports
4 In the URL text box, enter the URL for the Hyperion application to which you want to link.
For example:
http://<hostname>:8200/HREPORTS/SELECTREPORT.JSP
5 Append to the URL of the Hyperion product this parameter:
sso_token=%SSO_TOKEN%
For example:
http://<machine name>/<application path>/PageName.jsp?sso_token=%SSO_TOKEN%
6 To further define the page and context, you can add to the URL any of these substitution variables:
%APPLICATION%
%FORM%
%PAGE%
%SCENARIO%
%VERSION%
%ENTITY%
Note: All the substitution variables above must be capitalized.
Each of the substitution variables is replaced at runtime with the value from the current state of
the users session. For example, if the user has a form named Budget03 open, then any instance
of %FORM% in the URL is replaced with Budget03. Or, if the user is working with a planning
unit in the Workflow part of Hyperion Planning, the current URL reflects the selected scenario
and version. If the URL link on the Hyperion Planning Home page contains %SCENARIO%
or %VERSION%, these references are replaced with the current scenario and version at
runtime. If the URL contains a substitution variable that does not exist at runtime, the
substitution variable is removed and ignored.
For example:
http://<machine name><application
path>HyperionPlanning/PlanningCentral.jsp?sso_token=%SSO_TOKEN%&form=%FO
RM%&Page=%PAGE%&Scenario=%SCENARIO%&Version=%VERSION%&Entity=%ENTITY%
7 From the User Type drop-down list, select which user type you want to have access to this link. Your choices
are Administrator, Interactive, and Basic.
Administrator users see all links
Interactive users see interactive user and basic user links
Basic users see basic user links
8 Click Save.
Setting Up Other Products for Signing On to Hyperion Planning
Other Hyperion products that support single sign-on as described in their product
documentation can launch Hyperion Planning without users having to log on again. A product
that intends to launch Hyperion Planning can pass an SSO token in the sso_token parameter
and any other optional parameters for accessing a more specific context in Hyperion Planning.
The URL to the Hyperion Planning application must include the single sign-on token
information (sso_token=<SSO_TOKEN>) appended to the URL. For example (do not insert
any spaces):
http://<machine name><applicationpath>HyperionPlanning/
PlanningCentral.jsp?sso_token=<SSO_TOKEN>&Application=<application name>
The application name parameter is not required, but is useful. Without it, the user is sent to the
log in page, where they select an application, bypassing the user name and password page.
For users to access a specific page within Hyperion Planning beyond the Hyperion Planning
Home page, use the following format from the other product. This example would launch
Hyperion Plannings Enter Data page:
http://<machine name>/Hyperion Planning/EnterData.jsp?
sso_token=<SSO_TOKEN>&Application=<application name>&Form=
<form name>
To further define the context, you can add to the URL any of these parameters, separating each
by the & symbol:
Application
Form
Page
Scenario
Version
Entity
Tip: You can first access the page you want to access, copy its URL, and paste it into the syntax.
Hyperion Reports 59
Hyperion Reports
Enabling Single Sign-On to Hyperion Essbase on page 59
Searching for Users in Hyperion Reports on page 60
To enable Hyperion Reports to use the Hub configuration for external authentication, you
must edit the hr_global.properties configuration file located in the lib directory of the
Hyperion Reports installation.
A default hr_global.properties file is created during installation.
To edit the hr_global.properties configuration file:
2 Add an entry CSSConfiguration=<location of configuration file>, where the location of the configuration file
must be a URL.
For example, add the following entry (all on one line):
CSSConfiguration=http://hubserver:58080/interop/framework/getCSSConfigFi
le
3 Save the hr_global.properties file.
Enabling Single Sign-On to Hyperion Essbase
To enable Hyperion Reports to single sign-on to Essbase you must edit the
hr_global.properties configuration file located in the lib directory of the Hyperion
Reports installation.
A default hr_global.properties file is created during installation.
To edit the hr_global.properties configuration file:
2 Set the PassCSSTokenToHssEssDriver setting to True. For example,
PassCSSTokenToHssEssDriver=true
3 Save the hr_global.properties file.
Searching for Users in Hyperion Reports
To search for externally authenticated users in Hyperion Reports;
1 Launch Hyperion Reports.
2 Select Administration > Maintain Users.
3 Begin typing the name of the user in the <Find User> text box, above the table. If the user exists in an
external directory, it is highlighted in the table.
4 Do one of the following tasks:
Enter the full name of a user.
Enter a partial name of a user.
For example, if you are searching for user Jeff, entering Je moves your selection to the
first occurrence in the list of a user name beginning with Je. Click the Find Next button to
find the next occurrence of a user name beginning with Je.
Tip: Use the Find Previous or the Find Next button to highlight the previous or next item matching
the letters typed or to scroll through the entire list.
Hyperion SQR and Intelligence
External authentication for Hyperion SQR and Hyperion Intelligence is automatically enabled
by the configuration of Hyperion Performance Suite.
Hyperion Strategic Finance
To enable external authentication and single sign-on for Hyperion Strategic Finance, it is
recommended that you reference the Hub external authentication configuration.
Searching for Users in Hyperion Strategic Finance on page 61
1 From the Start menu, select Start > Programs > Hyperion Solutions > Strategic Finance > Strategic
Finance > Server > Administrator.
2 From the menu bar of the Administrator utility, select Server > Open.
3 In the Server text box, select the Hyperion Strategic Finance Server from the drop-down list and click OK.
Hyperion Strategic Finance 61
4 From the menu bar of the Administrator utility, select Server > Settings.
5 Select the General tab.
6 In the Security Mechanism text box, select External Authentication.
7 In the Configuration File text box, enter the path to the Hub configuration that you completed in Chapter 4,
Configuring Hyperion Hub for External Authentication.
You can reference the configuration file in the URL format as follows:
For example,
You can also reference the configuration file in the file format as follows:
file:///<drive>:\<filepath>\CSSConfigfile.xml
For example:
file:///C:\hyperion\CSSConfigfile.xml
8 Click OK.
You must restart the Hyperion Strategic Finance service for this change to take effect.
Searching for Users in Hyperion Strategic Finance
To find and add externally authenticated users,
1 From the Start menu, select Start > Programs > Hyperion Solutions > Strategic Finance > Strategic
Finance > Server > Administrator.
2 From the menu bar of the Administrator utility, select Server > Open.
3 In the Server text box, select the Hyperion Strategic Finance Server from the drop-down list.
4 In the User ID text box, enter your user name.
5 In the Password text box, enter your password and click OK.
6 Select the Users tab.
7 From the menu bar, select User > Add.
8 In the User ID text box, enter the name of the user as listed in the security provider.
Lookup User
If you do not know the ID of the user, click Lookup User to search and select.
User Identity
The Security Identifier (SID) number of the user within the directory server. This text box
cannot be edited.
9 In the Full Name text box, enter the first and last name of the user.
10 In the Access Type text box, select an access type to determine the level of access for the user:
Administrator
Can create users and groups, scenario types, rule sets.
Power User
Can check-in/check-out entities; create and modify reports, Subaccounts, Forecast
Methods, and Formulas; in general can create Entities.
Data Input
Can check-in/check-out entities for data entry only.
Read Only
Can check out entities for viewing only. No write access.
None
11 Optional: In the Email Address text box, enter an e-mail address where the user may be sent notices.
12 Optional: In the Compression Level drop-down list, select the level of data compression.
13 Optional: In the Email Address text box, enter an e-mail address where the user may be sent notices.
Note: To send a test email, click Send Email.
14 Optional: In the Phone Number text box, enter a phone number where the user may be reached.
15 Optional: In the Notes text box, enter any additional information about the user.
16 Click OK.
Hyperion Translation Manager
To enable external authentication and single sign-on for Hyperion Translation Manager, it is
recommended that you reference the Hub external authentication configuration.
1 Select Start > Programs > Hyperion Solutions > Hyperion Translation Manager > Start Server to start the
Web application server.
2 Using your Web browser, navigate to the following URL:
http://server:port/HyperionTranslationManager/Config.jsp
Hyperion Translation Manager 63
where server is the name of the server where Hyperion Translation Manager is installed and
port is the number of the startup port.
The Configuration page is displayed.
3 In the External Authentication field, select URL.
4 In the URL text box, enter the URL to the Hyperion Hub configuration that you completed in Chapter 4,
Configuring Hyperion Hub for External Authentication.
For example,
5 Click Update to save the configuration.
The information you supplied is stored in the HtmTransManHome.properties file, and is
read by Hyperion Translation Manager upon startup.
6 Stop and restart Hyperion Translation Manager Web application server to enable the changes to take
effect.
Setting Up the Environment for Netegrity Single Sign-On 65
C h a p t e r
6
Setting Up the Environment for
Netegrity Single Sign-On
For Web-based Hyperion products, single sign-on integration with Netegrity SiteMinder is
available.
SiteMinder is a Web access management solutions provider employed by companies to manage
and enforce authentication, authorization, and single sign-on for company Web resources.
The Hyperion security platform enables single sign-on for a user into a Web-based Hyperion
application without challenging the user for credentials, as long as SiteMinder has already
authenticated the user.
In This Chapter Required Changes to Hub Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Required Changes to Netegrity Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Deployment Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
66 Setting Up the Environment for Netegrity Single Sign-On
Required Changes to Hub Configuration
Integration with SiteMinder requires configuration of the
<securityAgent></securityAgent> element in the CSS.xml configuration file.
The CSS.xml file is located on the computer that hosts Hyperion Hub, at:
Caution! Do not edit the css.xml file until after you have finished using the Hub console for the
preliminary configuration. Additionally, we recommend backing up the existing css.xml file
before editing it directly.
To enable SiteMinder authentication in the Hub configuration,
1 Open the css.xml file using a text editor.
2 Near the end of the file, add a blank line above the final line that reads as follows:
</css>
3 In the blank line above </css>, enter the following text:
<securityAgent name="NETEGRITY"/>
4 Save and close css.xml.
Required Changes to Netegrity Policy Server
The SiteMinder administrator must set up protection for the appropriate Hyperion
application's web resources. These resources could be HTML files, JSP files, ASP files, or other
web-based resource files.
The SiteMinder administrator must configure a "response" that adds a custom HTTP header.
This HTTP header makes a login name available to Hyperion application web resources. The
header must include the parameter HYPLOGIN, and the value of the login name of the
authenticated user.
For example, if you use an LDAP directory and cn is the login name attribute in the
configuration file, then the HYPLOGIN header should carry the cn value of the LDAP
authenticated user. SiteMinder administrators can also configure the header to
SM_USERLOGINNAME, the user ID specified by the user during log on.
For more information, see the "Responses and Response Groups" section of the Netegrity
Policy Design Guide.
Deployment Example 67
Deployment Example
For a sample deployment scenario, see Single Sign-on with SiteMinder on page 85.
68 Setting Up the Environment for Netegrity Single Sign-On
Using Secure Sockets Layer (SSL) 69
C h a p t e r
7
Using Secure Sockets Layer (SSL)
For Web-based Hyperion products, single sign-on integration with Netegrity SiteMinder is
available.
SiteMinder is a Web access management solutions provider employed by companies to manage
and enforce authentication, authorization, and single sign-on for company Web resources.
In This Chapter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Required Changes to Hub Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Other Required Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
70 Using Secure Sockets Layer (SSL)
Overview
You can use the Secure Sockets Layer (SSL) protocol for secure data transmission to and from
the authentication provider.
Tokens are encrypted; however, the additional security of Secure Sockets Layer is
recommended for prevention of replay attacks or man-in-the middle attacks.
The Hyperion security platform uses the LDAP service provider from SUN to authenticate
users stored externally in an LDAP-compatible directory such as Novell eDirectory, Sun
TM

Open Net Environment (Sun ONE) (formerly iPlanet), or Microsoft Active Directory. The
LDAP service provider runs on the Java Virtual Machine for your application. When SSL is
used as the secure medium to connect to the directory server, the LDAP service provider of the
security platform uses Java Secure Socket Extension (JSSE) software for its SSL support.
Required Changes to Hub Configuration
To use Secure Sockets Layer, you must select SSL as the authorization type when configuring
Hyperion Hub for external authentication. For more information, see Setting Authorization
Type (Optional) on page 24.
Other Required Tasks
If you are using Secure Sockets Layer (SSL), you must also complete the following tasks:
On the directory server, ensure that a certificate is installed and available.
On the Java Virtual Machine that runs your application, create a certificate database if one
does not exist.
On the Java Virtual Machine that runs your application, trust the Certificate Authority (CA)
that issues the server certificate.
For more information about setting up SSL, see the documentation for your directory server
and JRE.
Hyperion Remote Authentication Module 71
C h a p t e r
8
Hyperion Remote
This chapter explains the purpose for, and installation of, the Hyperion Remote Authentication
Module.
In This Chapter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Installation Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Configuration and Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
72 Hyperion Remote Authentication Module
Overview
Hyperion Remote Authentication Module 7.2 is an optional component for external
authentication.
About the Hyperion Remote Authentication Module
The Hyperion Remote Authentication Module, formerly called the NTLM Remote Server, can
be installed from the Hyperion Download Center. Installing and running the Hyperion
Remote Authentication Module can be useful to both of the following groups:
UNIX application users who need to log in using a Windows NT LAN Manager domain.
Windows users who need to log in using more than one Windows NT LAN Manager
domain when there are no trust relationships set up.
UNIX Application Support for NT LAN Manager
In the following deployment scenario, the Hyperion Remote Authentication Module enables
communication between NTLM and a UNIX-based application.
The configuration file resides on the application server, as do the Hyperion application
binaries. The NTLM support library file (css-2_6_x.dll) is also required for NTLM
connectivity. You must configure for external authentication as described in the
documentation for the Hyperion application you are using.
The NTLM Primary Domain Controller can be on a Windows NT 4.0 server or on a Windows
2000 server that has backward-compatibility to NT 4.0. The Hyperion Remote Authentication
Module should be on Windows NT 4.0 server or on a Windows 2000 server. Combining the
Remote Authentication Module with the NTLM Primary Domain Controller is not
recommended. The Remote Authentication Module machine needs to be in the same domain
as the NTLM Primary Domain Controller.
p
Overview 73
Multiple-Domain Support for NT LAN Manager
The Hyperion Remote Authentication Module enables a Hyperion product to authenticate
users belonging to other domains that are not trusted by the domain on which the Hyperion
product is installed. This removes the necessity to establish trust relationships between the
domains.
In the following deployment scenario, the Hyperion Remote Authentication Module enables
users of a Hyperion product to authenticate using either of two domains.
Without the Hyperion Remote Authentication Module, the only way to use multiple domains
for a Hyperion product is to establish trust relationships, as shown in the following diagram:
74 Hyperion Remote Authentication Module
Installation Instructions
On a Windows NT/2000 server, install the Hyperion Remote Authentication Module. The
installation program, setup.exe, is available on the Hyperion Download Center.
To install the Hyperion Remote Authentication Module:
1 Run setup.exe.
2 Select the language to use.
3 On the Welcome page, click Next.
4 Accept the license agreement and click Next.
5 Choose a destination location for the Hyperion Remote Authentication Module, and click Next. It is
recommended that you accept the default location.
6 Provide a value for the Hyperion_Home environment variable. It is recommended that you accept the
default location.
7 Enter the host name and port number for the machine hosting the Hyperion Remote Authentication
Module. The default port number is 58000.
If you will be using Secure Sockets Layer with your NTLM deployment, select the option to
support SSL.
Click Next.
For SSL configuration information, see the security platform configuration documentation for
the Hyperion product you are using. You must provide a value for the
<authProtocol></authProtocol> element in the security platform configuration XML file
shipped with Hyperion Hub (or alternately, the file shipped with an individual Hyperion
product).
8 Review the summary of your installation choices, and click Next to begin the installation.
9 Click Finish to complete the installation.
Configuration and Startup
Before using the Hyperion Remote Authentication Module, complete the following additional
steps:
1 On the computer that hosts the Hyperion product(s) which will connect to the Remote Authentication
Module, modify the values in the <location> tags in the <remoteServer> section of the
configuration file, to tell the application where to find the Remote Authentication Module.
You must provide a value for the <remoteServer></remoteServer> element in the external
authentication configuration XML file shipped with Hyperion Hub (or alternately, with each
Hyperion product).
2 Run the remote authentication module by choosing Start > Programs > Hyperion Solutions > Hyperion
Remote Authentication Module > Run Authentication Server.
Sample Deployment Scenarios 75
C h a p t e r
9
Sample Deployment Scenarios
This chapter contains sample deployment scenarios.
In This Chapter Single LDAP Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Single Microsoft Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
UNIX Application and Single NTLM Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Windows Application and Single NTLM Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
UNIX Application against LDAP, Microsoft Active Directory, and NTLM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Windows Application against LDAP, Microsoft Active Directory, and NTLM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Multiple Microsoft Active Directory Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Multiple LDAP Directory Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Multiple NTLM Domains with Trust Relationships. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Multiple NTLM Domains Connected with Hyperion Remote Authentication Module . . . . . . . . . . . . . . . . . . . . . . . . . . 84
76 Sample Deployment Scenarios
Single LDAP Directory
Figure 2 illustrates a deployment scenario that uses LDAP.
Fi gure 2 Authentication Against a Single Instance of an LDAP Directory
The configuration file resides on the Hyperion Hub server. The configuration for external
authentication should be done from the Hyperion Hub console as described in the rest of this
document. The application server can be on UNIX, Windows NT 4.0 server, Windows 2000
server, or Windows 2003 server. The directory server can be on UNIX, Windows NT 4.0 server,
Windows 2000 server, or Windows 2003 server.
A secure SSL connection can optionally be used.
The directory server and the application server can be combined into one server. In such a
scenario, the application binaries and the directory server binaries reside on the same server.
In the single LDAP directory scenario,
All users must have the same prefix, such as cn or uid.
All groups must have the same prefix, such as cn or ou.
Referrals are not supported.
Users and groups should exist under nodes, such as ou=People and ou=Groups, for
optimal data-retrieval performance.
A sample corporate directory schema follows:
Single Microsoft Active Directory 77
Single Microsoft Active Directory
Figure 3 illustrates a deployment scenario that uses Microsoft Active Directory.
Fi gure 3 Authentication Against a Single Instance of Microsoft Active Directory
document. The application server can be on UNIX, Windows NT 4.0 server, Windows 2000
server, or Windows 2003 server. The directory server must be on a Windows 2000 or 2003
server.
The directory server and the application server can be combined into one server. In this
scenario the application binaries and the directory server binaries reside on the same server.
In the single Microsoft Active Directory scenario,
All users must have the same prefix, such as cn or uid.
All groups must have the same prefix, such as cn or ou.
Referrals are supported, if configuration enables it as described in Referral Support
(Optional, MSAD Only) on page 34.
Users and groups should exist under nodes, such as cn=Users, for optimal data-retrieval
performance.
A sample corporate directory schema follows:
UNIX Application and Single NTLM Domain
Figure 4 illustrates a deployment scenario in which a UNIX-based application accesses
information from a Windows NT LAN Manager domain controller. This implementation
depends also on the Hyperion Remote Authentication Module, which must be configured and
running on a Windows server. The Remote Authentication Module can be installed from the
Hyperion Download Center. The Remote Authentication Module is needed because the
external authentication mechanism depends on the NTLM support library file (.dll) for
NTLM authentication, and dlls are not supported on UNIX.
Fi gure 4 Authentication from a UNIX-Based Application Server Against a Single Instance of NTLM
Note: The Hyperion Remote Authentication Module enables communication between NTLM and a UNIX-based
application. Install the Remote Authentication Module from the Hyperion Download Center.
document.
The NTLM support library file (.dll) file is required for the NTLM connectivity.
The application server is assumed to be on UNIX, requiring the Hyperion Remote
Authentication Module to enable NTLM authentication.
The NTLM Primary Domain Controller server can be on a Windows NT 4.0 server, a Windows
2000 server, or a Windows 2003 server.
The Hyperion Remote Authentication Module should be on a Windows NT 4.0 server, a
Windows 2000 server, or a Windows 2003 server. Combining the Remote Authentication
Module with the NTLM Primary Domain Controller server is not recommended. The Remote
Authentication Module machine needs to be in the same domain as the NTLM Primary
Domain Controller server.
UNIX Application against LDAP, Microsoft Active Directory, and NTLM 79
The security platform can communicate over a secure medium such as Secure Sockets Layer
(SSL) with the Hyperion Remote Authentication Module. If you need to use SSL, select the SSL
option when installing the Hyperion Remote Authentication Module. For complete
installation instructions, download and read the installation and setup instructions provided
with the Hyperion Remote Authentication Module on the Hyperion Download Center.
Windows Application and Single NTLM Domain
Figure 5 illustrates a deployment scenario in which a Windows-based application accesses
information from a Windows NT LAN Manager domain controller.
Fi gure 5 Authentication from a Windows-Based Application Server Against a Single Instance of NTLM
document.
The NTLM Primary Domain Controller server can be on a Windows NT 4.0 server, a Windows
2000 server, or a Windows 2003 server.
UNIX Application against LDAP, Microsoft Active Directory, and
NTLM
Figure 6 illustrates a deployment scenario in which a UNIX-based application accesses
information from multiple directory stores. The Hyperion Remote Authentication Module is
required for access to the Windows NT LAN Manager domain, as in Scenario 3. Configuration
of the search order becomes important in this scenario.
Fi gure 6 Authentication from a UNIX-Based Application Server Against an LDAP Directory, Microsoft Active
Directory, and NTLM
Note: The Hyperion Remote Authentication Module enables communication between NTLM and a UNIX-based
application. Install the Remote Authentication Module from the Hyperion Download Center.
Windows Application against LDAP, Microsoft Active Directory,
and NTLM
Figure 7 illustrates a deployment scenario in which a Windows-based application accesses
information from multiple directory stores.
Multiple Microsoft Active Directory Instances 81
Fi gure 7 Authentication from a Windows-Based Application Server Against an LDAP Directory, Microsoft Active
Directory, and NTLM
document.
The NTLM support library file (.dll) file is required for the NTLM connectivity. The
configuration for external authentication should be done as described in the rest of this
document. The NTLM Primary Domain Controller can be on a Windows NT 4.0 server, a
Windows 2000 server, or a Windows 2003 server.
For LDAP-compatible directories, a secure SSL connection can optionally be used.
The configuration of the search order property in the XML configuration file determines the
order in which each directory store receives requests for information from the application. For
example, the first instance of a requested user found while going through the search order is
the instance that is used by the external authentication mechanism to retrieve and return
information about the user to the application. Therefore, although there are three directories
that can host user information, it is recommended that user information not be duplicated
across the directories. Duplication can lead to the incorrect user object being authenticated.
For information about configuring the search order, see Setting the Search Order on page 27.
Multiple Microsoft Active Directory Instances
Figure 8 illustrates a deployment of multiple Microsoft Active Directory instances that hold
user authentication information.
Fi gure 8 Authentication with Multiple Microsoft Active Directory Instances
document.
To enable the application server to allow authentication from both directory servers shown
Figure 8, both directory servers must be indicated in the search order. The most frequently
used directory should be indicated first in the search order. For information about configuring
the search order, see Setting the Search Order on page 27.
Multiple LDAP Directory Instances
Figure 9 illustrates a deployment of multiple LDAP instances that hold user authentication
information.
Multiple NTLM Domains with Trust Relationships 83
Fi gure 9 Authentication with Multiple LDAP Directory Instances
document.
To enable the application server to allow authentication from both directory servers shown
Figure 9, both directory servers must be indicated in the search order. The most frequently
used directory should be indicated first in the search order. For information about configuring
the search order, see Setting the Search Order on page 27.
Multiple NTLM Domains with Trust Relationships
When there are multiple Windows NT LAN Manager domains which hold user authentication
information, one solution is to establish trust relationships between the domains, as shown in
Figure 10.
Fi gure 10 Authentication with Multiple Trusted NTLM Domains
document.
The NTLM support library file (.dll) file is required for the NTLM connectivity. The
configuration for external authentication should be done as described in the rest of this
document. The NTLM Primary Domain Controllers can be on Windows NT 4.0, Windows
2000, or Windows 2003 servers.
Multiple NTLM Domains Connected with Hyperion Remote
When there are multiple Windows NT LAN Manager domains which hold user authentication
information, an additional solution is to link the domains using the Hyperion Remote
Authentication Module (compare to Multiple NTLM Domains with Trust Relationships on
page 83). This scenario eliminates the necessity of establishing trust relationships between the
domains, as shown in Figure 11.
Single Sign-on with SiteMinder 85
Fi gure 11 Authentication with Multiple Untrusted NTLM Domains
The Hyperion Remote Authentication Module gives users of Hyperion applications on
Windows the ability to log in using multiple domains, without the need for the administrator
to create trust relationships between the domains. In the figure above, Windows users may
optionally log in using domain D2 in addition to the more commonly used domain D1,
because the Hyperion Remote Authentication Module is running, giving access to domain D2.
Note that D1 does not trust D2.
document.
The NTLM Primary Domain Controllers can be on Windows NT 4.0, Windows 2000, or
Windows 2003 servers.
The security platform can communicate over a secure medium such as Secure Sockets Layer
(SSL) with the Hyperion Remote Authentication Module. If you need to use SSL, select the SSL
option when installing the Hyperion Remote Authentication Module. For complete
installation instructions, download and read the installation and setup instructions provided
with the Hyperion Remote Authentication Module on the Hyperion Download Center.
Single Sign-on with SiteMinder
SiteMinder is a Web access management solutions provider sometimes employed by
companies to manage and enforce authentication, authorization, and single sign-on for
company Web resources. The Hyperion security platform enables single sign-on for a user into
a Web-based Hyperion application without challenging the user for credentials, as long as
SiteMinder has already authenticated the user. Integration with SiteMinder requires
configuration of the <securityAgent></securityAgent> element in the XML
configuration file.
Note: If your corporation uses a security agent to protect company Web resources, the corporate authentication
repository (for example, LDAP, Microsoft Active Directory, or NT LAN Manager) must be trusted, because the
Hyperion security platform does not store a password in the token when a security agent is used.
Figure 12 illustrates a scenario enabling single sign-on with SiteMinder and a Hyperion
application:
Fi gure 12 Single Sign-on with SiteMinder as the Security Agent
The Hyperion application trusts the authentication and authorization information sent by
SiteMinder with regards to the protected resources on the directory server. Therefore, the
Hyperion security platform supports Tier 1 integration with SiteMinder.
The Web agent is installed on a Web server that intercepts requests for the Hyperion
application's Web resources, such as JSP files, ASP files, or HTML files on the application
server. If these web resources are protected, the Web agent issues a challenge for
unauthenticated users. Once the user is authenticated, the policy server adds to the HTTP
headers another header, named HYPLOGIN, whose value is the login name of the authenticated
user. Thereafter, the HTTP request is passed on to the Hyperion application's Web resources,
and the login name is extracted from the headers. For more details on configuring the header
HYPLOGIN and populating it, see Chapter 6, Setting Up the Environment for Netegrity Single
Sign-On.
Deployment References from LDAP Product Vendors
Sun ONE Directory Server 5.2 Deployment Guide:
Deployment References from LDAP Product Vendors 87
http://docs.sun.com/app/docs/doc/816-6700-10
iPlanet Directory Deployment Guide for v5.1:
http://192.18.99.138/816-5609-10/816-5609-10.pdf
iPlanet Directory Deployment Guide for v4.16:
http://192.18.99.138/816-6679-10/816-6679-10.pdf
Active Directory Deployment Guide:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologi
es/activedirectory/deploy/default.mspx
Sample Configuration XML Files 89
A P P E N D I X
10
Sample Configuration XML Files
When you use the Hyperion Hub Configuration Console to set up external authentication, the
console writes your configuration information to the CSS.xml file packaged with Hyperion
Hub.
The CSS.xml file is located on the computer that hosts Hyperion Hub, at:
Completion of the Hub configuration populates most of the XML file, but there are some
additional elements you can configure. For more information, see Additional Configuration
Elements on page 28.
In This Appendix Basic XML Configuration Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Extended XML Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
90 Sample Configuration XML Files
Basic XML Configuration Example
This topic shows a sample XML configuration file that contains the basic elements (XML tags)
that you can configure to enable external authentication for Hyperion Hub and other
Hyperion products.
<?xml version="1.0" encoding="UTF-8" ?>
<css xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<spi>
<provider>
<ntlm name="ntlmServer">
<trusted>false</trusted>
<domain>THIS_IS_DOMAIN_NAME</domain>
</ntlm>
<ldap name="ldapServer">
<trusted>true</trusted>
<url>ldap://host:portNo/DIT</url>
<userDN>cn=User Name</userDN>
<password>userPassword</password>
<user>
<url>ou=People</url>
</user>
<group>
<url>ou=Groups</url>
</group>
</ldap>
<url>ldap://host:PortNo/DIT</url>
<userDN>cn=UserName</userDN>
<password>UserPassword</password>
<user>
<url>ou=people</url>
</user>
<group>
</group>
</msad>
</provider>
</spi>
<searchOrder>
<el>ntlmServer</el>
<el>ldapServer</el>
<el>msadServer</el>
</searchOrder>
<logger>
<priority>FATAL</priority>
</logger>
</css>
Extended XML Configuration Example 91
Extended XML Configuration Example
This topic shows a sample XML configuration file that contains basic and additional elements
(XML tags) that you can configure to enable external authentication for Hyperion Hub and
other Hyperion products.
<?xml version="1.0" encoding="UTF-8" ?>
<css xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<spi>
<provider>
<ntlm name="ntlmServer">
<domain>THIS_IS_DOMAIN_NAME</domain>
<maxSize>300</maxSize>
<remoteServer>
<location>//localhost:58000/NTLMImpl</location>
</remoteServer>
</ntlm>
<ldap name="ldapServer">
<trusted>true</trusted>
<url>ldap://host:portNo/DIT</url>
<userDN>cn=User Name</userDN>
<password>userPassword</password>
<authType>simple</authType>

<authProtocol>ssl</authProtocol>
<identityAttribute>dn</identityAttribute>
<user>
<url>ou=People</url>
<loginAttribute>uid</loginAttribute>
<fnAttribute>givenname</fnAttribute>
<snAttribute>sn</snAttribute>
<emailAttribute>mail</emailAttribute>
<objectclass>
<entry>person</entry>
<entry>organizationalPerson</entry>
<entry>inetOrgPerson</entry>
</objectclass>
</user>
<group>
<objectclass>
<entry>groupofuniquenames?uniquemember</entry>
<entry>groupOfNames?member</entry>
</objectclass>
</group>
</ldap>
<url>ldap://host:PortNo/DIT</url>
<userDN>cn=UserName</userDN>
<password>UserPassword</password>
<authType>simple</authType>

<authProtocol>ssl</authProtocol>
92 Sample Configuration XML Files
<identityAttribute>dn</identityAttribute>
<user>
<url>ou=people</url>
<loginAttribute>uid</loginAttribute>
<fnAttribute>givenname</fnAttribute>
<snAttribute>sn</snAttribute>
<emailAttribute>mail</emailAttribute>
<objectclass>
<entry>person</entry>
<entry>organizationalPerson</entry>
<entry>inetOrgPerson</entry>
</objectclass>
</user>
<group>
<objectclass>
<entry>groupofuniquenames?uniquemember</entry>
<entry>groupOfNames?member</entry>
</objectclass>
</group>
</msad>
</provider>
</spi>
<searchOrder>
<el>ntlmServer</el>
<el>ldapServer</el>
<el>msadServer</el>
</searchOrder>
<token>
<timeout>60</timeout>
</token>
<logger>
<priority>FATAL</priority>
</logger>

</css>
Glossary 93
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Glossary
Security platform A framework providing the ability for
Hyperion applications to use external authentication and
single sign on. To enable this functionality, the application
administrator or installer needs to configure the
application to be compatible with the company's own
repository of users and groups (see Configuration).
Application programming interface (API) documentation
is available for implementing the security functionality on
custom Hyperion-based applications.
External authentication The user information needed to
log on to a Hyperion application is stored outside of the
Hyperion application. The information is instead
maintained in a corporate authentication repository.
Authentication repository A centralized, corporate store
of user and group information. May also be referred to as
directory or provider. The security platform provides built-
in support for the following providers: Lightweight
Directory Access Protocol (LDAP) Directory, Windows NT
LAN Manager (NTLM), and Microsoft Active Directory
(MSAD).
Single sign-on The ability of an externally authenticated
user to access multiple, linked Hyperion applications after
logging on only to the first application. When the user logs
in to the first Hyperion application, an encrypted token of
credentials is generated by the security platform and
passed back to the calling application. When the user
launches secondary applications from within the first
application, no further authentication is required.
Configuration The security platform relies on an XML
document to be configured by the product administrator
or installer of the software. The XML document must be
modified to indicate meaningful values for properties,
specifying locations and attributes pertaining to the
corporate authentication scenario. For configuration
instructions, see the documentation for the applicable
Hyperion product.
Identity A unique identification of one valid user or
group existing on an external authentication repository.
Token An encrypted string returned from the security
platform that holds information for a user. Tokens are
opaque to the application, and are generated upon
authentication.
Security Agent. A Web Access Management Solutions
provider employed by companies to manage and enforce
authentication, authorization, and single sign-on.
Examples: Netegrity SiteMinder, IBM Tivoli Access
Manager. The Hyperion security platform enables single
sign-on for a user into a web-based Hyperion application
without challenging the user for credentials, as long as the
Security Agent has already authenticated the user.
Integration with a Security Agent requires configuration of
the <securityAgent></securityAgent> element in the
XML configuration file. The term Security Agent is
interchangeable with Web Security Agent.
94 Glossary
Index A 95
Index
A
Active Directory
Base DN, 21
host name, 21
port number, 21
referrals support, 34
Active Directory deployment scenario, 77, 79 to 81
address
of LDAP/MSAD provider, 21
Administration Services, 49
Analytic Services, 43
Analyzer, 38
Anonymous bind, 21
Application Builder, 39
authentication
timeout setting, 27
Authorization Type, 24
B
Base DN
LDAP/MSAD, 21
binding anonymously, 21
Business Modeling, 42
Business Rules, 43
C
configuration, 19
for external authentication, 19
CSS.xml
manually configuring, 28
samples, 89
custom object-class entries
for LDAP/MSAD groups, 33
for LDAP/MSAD users, 32
D
debug
logging level, 28
deployment scenario
Active Directory, 77, 79 to 81
LDAP, 76, 79 to 80, 82
NT LAN Manager, 78 to 80, 83 to 84
Deployment Services, 51
Domain property for NT LAN Manager configuration, 25
E
e-mail attribute, 31
Enterprise, 43
error
logging level, 28
error messages
configuring, 28
Essbase, 43
Essbase Administration Services, 49
Essbase Deployment Services, 51
Essbase Integration Services, 52
Essbase Spreadsheet Services, 52
external authentication
configuration, 19
introduction, 7
F
fatal
logging level, 28
Financial Management, 52
first-name attribute, 30
fnAttribute property, 30
96 Index G
G
group name attribute, 33
Group URL, 22
groups
location of in directory, 22
H
host name
LDAP/MSAD, 21
Hub
configuring for external authentication, 19
Hyperion Analytic Services, 43
Hyperion Analyzer, 38
Hyperion Application Builder, 39
Hyperion Business Modeling, 42
Hyperion Business Rules, 43
Hyperion Enterprise, 43
Hyperion Essbase, 43
Hyperion Essbase Administration Services, 49
Hyperion Essbase Deployment Services, 51
Hyperion Essbase Integration Services, 52
Hyperion Essbase Spreadsheet Services, 52
Hyperion Financial Management, 52
Hyperion Intelligence, 60
Hyperion Metrics Builder, 53
Hyperion Performance Scorecard, 54
Hyperion Performance Suite, 54
Hyperion Planning, 55
Hyperion Remote Authentication Module, 26
Hyperion Reports, 59
Hyperion SQR, 60
Hyperion Strategic Finance, 60
Hyperion Translation Manager, 62
I
info
logging level, 28
Integration Services, 52
Intelligence, 60
L
LDAP
adding or configuring the provider, 20
Base DN, 21
Index M 97
host name, 21
port number, 21
provider configuration name, 21
versions, 10
LDAP deployment scenario, 76, 79 to 80, 82
logging levels, 28
login
expiration setting, 27
login attribute, 29
M
manual configuration of CSS.xml, 28
maximum result-set size from query of LDAP/MSAD, 24
maximum result-set size from query of NTLM, 26
maxSize property (LDAP/MSAD), 24
maxSize property (NTLM), 26
messages
configuring, 28
Metrics Builder, 53
Microsoft Active Directory
N
nameAttribute property, 33
Netegrity SiteMinder, 9
NT LAN Manager
configuration pre-requisites, 15
domain specification, 25
Remote Authentication Module, 26
required user rights, 15
NT LAN Manager deployment scenario, 78 to 80, 83 to 84
O
object-class entries
for LDAP/MSAD groups, 33
for LDAP/MSAD users, 32
ou, 22
P
passwords
98 Index R
and trust settings (LDAP/Active Directory), 22
and trust settings (NTLM), 26
Performance Scorecard, 54
Performance Suite, 54
Planning, 55
platform support, 7
port number
LDAP/MSAD, 21
properties files
modifying, 19
properties not available in Hyperion Hub, 28
property element for MSAD referrals support, 34
provider configuration name (LDAP/MSAD), 21
provider configuration name (NTLM), 25
R
referrals
Active Directory, 34
Remote Authentication Module, 26
deployment scenario, 84
Reports, 59
results
setting maximum size (LDAP/MSAD), 24
setting maximum size (NTLM), 26
S
sample configurations, 89
search order for providers
setting, 27
Secure Sockets Layer
enabling, 24, 69
security agent, 9
SSL, 69
single sign-on
introduction, 7
single sign-on tokens, 8
SiteMinder
and trust settings, 23
deployment scenario, 85
using, 9
version, 10
snAttribute property, 31
Spreadsheet Services, 52
SQR, 60
SSL
Index T 99
enabling, 24, 69
sso_token for single sign-on, 57
Strategic Finance, 60
surname attribute, 31
system requirements, 7
T
timeout
for an authentication token, 27
token, 8
token timeout, 27
tokens
and trust settings (LDAP/Active Directory), 22
and trust settings (NTLM), 26
Translation Manager, 62
trust setting
LDAP/Active Directory, 22
NT LAN Manager, 26
U
UNIX
versions, 10
URL
of LDAP/MSAD provider, 21
user account
default for connecting to a directory, 21
User DN and Password, 21
user entries
uniquely identifying in LDAP/MSAD, 29
user list
maximum size of (LDAP/MSAD), 24
maximum size of (NTLM), 26
user policies
required for NT LAN Manager, 15
User URL, 22
users
location of in directory, 22
W
warn
logging level, 28
web access management solutions
using, 9
Windows
100 Index X
versions, 10
X
XML
sample configurations, 89

External Authentication

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

External Authentication

Uploaded by

Copyright:

Available Formats

HY P E R I ON

You might also like