HFM 11.1.2.4.102 still insecure

In the last few months, I've described how HFM 11.1.2.4 is not working in secure configurations (i.e. does not support encryption/SSL):

• Hyperion Financial Management (HFM) 11.1.2.4.0 cannot be fully secured
• Financial Management 11.1.2.4.101 still cannot be secured

It looks like the recently-released patch .102 still does not fix this glaring omission. Clearly security is very low in Oracle's list of priorities (but I'm sure their cloud setups are really really secure, uh-uh...).

Anyway, in the previous posts I recommended to work around this problem by having all HFM components on one single well-firewalled box. This setup was already sub-optimal (it's a single point of failure, and of course it might not meet some workload requirements), but as I went through other items it became clear that it's even more untenable than I previously thought.

This is because 11.1.2.4 components integrating with HFM (Financial Reporting, Calculation Manager, OBIEE and so on) will talk directly to application and cluster processes, bypassing the Weblogic-based web-application. Because of the previously-mentioned bug, communication will be completely unencrypted.

This means that theoretically, if any component uses the HFM API to integrate, it would have to run on the same single box as HFM.

The only exceptions to this rule are:

• the EPM Architect Dimension Server service, which will go through the web-app for its own calls (all related to metadata, like deployment, lookups etc). However, EPM Architect's own DataSynchronization service (which can automatically copy data across EPM products) will again go directly to appserver processes without encryption.
• webservices-based products like Financial Close Manager, Tax Governance etc (i.e. products built on Oracle SOA). These integrate with HFM via its web service interface exposed by Weblogic, which can be easily secured with SSL.

Bonus: a teaser

If you feel adventurous, you can figure out why HFM does not work with SSL.

1. Create the EPM Registry properties mentioned in logs as reported in my first post.
2. Run Process Monitor while you start the HFM JavaServer process.
3. In the resulting capture, look for "File Not Found" containing "user_projects" in path. One of these files should look familiar...

Financial Management 11.1.2.4.101 still cannot be secured

I was hoping the recent wave of patches (.100 and .101) for HFM-- sorry, Oracle EPM Financial Management 11.1.2.4 would have started to address those well-known security problems that have been plaguing this (otherwise remarkable) release. Unfortunately, that is not the case.

To begin with, the server component is still looking for the wrong properties in registry ("isSSL" and "SSL_Port" rather than the actually existing "isSslEnabled" and "ssl_port"). This means that, whichever option you select in Configuration Utility, the component will default to ssl-disabled.

If we try to trick it, by manually adding the properties it's looking for, we get the following errors and the service shuts down:

[...] [FM] [ERROR] [] [oracle.FM.HSX.SERVER.oracle.epm.fm.hsxserver.HsxServer] [...] 
[SRC_CLASS: oracle.epm.fm.hsxserver.HsxServer] 
[SRC_METHOD: startThriftServices] An error occurred while starting HSX_SERVER_NAME service.[[

org.apache.thrift.transport.TTransportException: Either one of the KeyStore or TrustStore must be set for SSLTransportParameters

at org.apache.thrift.transport.TSSLTransportFactory.getServerSocket(TSSLTransportFactory.java:99)
at oracle.epm.fm.common.BaseSeviceManager.getSSLServerTransport(BaseSeviceManager.java:121)
at oracle.epm.fm.common.BaseSeviceManager.startService(BaseSeviceManager.java:68)
at oracle.epm.fm.hsxserver.HsxServer.startThriftServices(HsxServer.java:64)
at oracle.epm.fm.hsxserver.HsxServer.init(HsxServer.java:43)
at oracle.epm.fm.hsxserver.HsxServer.main(HsxServer.java:27)
]]

[...] An error occurred while starting HSX_SERVER_NAME service.[[
oracle.epm.fm.common.exception.HFMException: EPMHFM-66019: An error occurred while starting HSX_SERVER_NAME service.
at oracle.epm.fm.hsxserver.HsxServer.startThriftServices(HsxServer.java:70)
at oracle.epm.fm.hsxserver.HsxServer.init(HsxServer.java:43)
at oracle.epm.fm.hsxserver.HsxServer.main(HsxServer.java:27)
]]

As you can see, it complains about missing keystores. This was always a possibility, since we never got a chance to specify such a thing during configuration; however, most SSL-aware software usually ships with demo keys preconfigured for tests, so it was not unreasonable to expect HFM would do the same. No such luck!

Hopefully both problems will be comprehensively addressed sooner rather than later. As it is, secure 11.1.2.4 implementations still have to rely on both HFM web and app components running on a single box with a tight firewall, which is far from ideal.

Bonus: Peeking Under The Hood

These errors lift the veil on some of the development strategies Oracle employed to remove hard dependencies between HFM and Windows-specific DCOM.

It looks like they are using Apache Thrift, which can be roughly described as a serializer library to auto-generate network APIs for existing programs. They basically dropped DCOM network code and replaced it with a simpler network interface built on (if my speculation from the previous post is correct) some Weblogic subcomponent; this interface uses Thrift-generated serializations to pass data between appserver processes and the ADF-based web application.

In theory, such an approach could make it easier for third-party components to open connections directly to the HFM appserver, bypassing the need for specific client libraries (with their byzantine requirements) and just using Thrift to figure out necessary calls. However, I'm not really an expert in this field and I don't really know what this effort would entail; at this point, your best bet for custom integration is still likely to be the official HFM SDK.

Hyperion Financial Management (HFM) 11.1.2.4.0 cannot be fully secured

(If you don't know what HFM is or does, look away now!)

If you work in the Oracle EPM space, you know that the long-awaited version 11.1.2.4.0 has finally been released, without much fanfare. For HFM, this release marks a major turning point: core services have been deeply modified in order to make them run on Unix/Linux, and ASP.Net was entirely removed from the stack, so that HFM can be officially supported on Exalytics system running Oracle Linux.

HFM is built on the Microsoft C++ stack, so it was an arduous task to make it portable without throwing away a decade of development efforts. To Oracle's credit, the mission was basically accomplished; however, *nix shops will likely not be too eager to deploy 11.1.2.4.0 in production environments just yet -- nor will traditional HFM customers. This release is rough, with quite a few functional bugs (taskflows cannot be displayed; the interface does not fully work in IE11; and so on), and unfortunately security was another casualty.

If you enable SSL for internal communication between EPM components, all services should encrypt their network traffic. In order to do that, they have to be manually configured, installing identity certificates required by the SSL protocol; this is a standard operation in Weblogic, and documented for other components in the Security Configuration Guide. Unfortunately, the HFM application server:

1. is not a Weblogic instance (at least not officially -- will clarify this later)
2. is not documented in the Guide yet.

Straight out of the gate we have a problem -- what certificate will HFM use? Nevermind, let's assume there is one hardcoded somewhere (shock, horror!). We simply enable full-SSL in Common Settings:

Then activate SSL support in the HFM Application Server configuration task:

And we can see in the EPM Registry that these settings have gone in:

We then configure the rest of the stack to use SSL (which is quite trivial, these days), increase logging here and there (good practice when enabling SSL, since it helps with troubleshooting), restart our services and... it all works! Great! Hold on, what is this in the HFM log?

[2015-02-06T01:11:05.087+00:00] [FM] [ERROR] [EPMHFM-65559] [oracle.FM.HSSUTIL.oracle.epm.fm.hssservice.RegistryWrapper] [tid: 10] [ecid: 0000KhSSAzEEgKYjLpqIOA1Kp1Ib000000,0] [SRC_CLASS: oracle.epm.fm.hssservice.RegistryWrapper] [SRC_METHOD: getRegistryProperty] Invalid property isSSL for HIT Registry component app24. [2015-02-06T01:11:05.132+00:00] [FM] [WARNING] [] [oracle.FM.HSX.SERVER.oracle.epm.fm.hsxserver.service.HsxServerServiceManager] [tid: 10] [ecid: 0000KhSSAzEEgKYjLpqIOA1Kp1Ib000000,0] [SRC_CLASS: oracle.epm.fm.hsxserver.service.HsxServerServiceManager] [SRC_METHOD: init] An error occurred retrieving property isSSL from EPM registry, using default value :false. [2015-02-06T01:11:05.141+00:00] [FM] [ERROR] [EPMHFM-65559] [oracle.FM.HSSUTIL.oracle.epm.fm.hssservice.RegistryWrapper] [tid: 10] [ecid: 0000KhSSAzEEgKYjLpqIOA1Kp1Ib000000,0] [SRC_CLASS: oracle.epm.fm.hssservice.RegistryWrapper] [SRC_METHOD: getRegistryProperty] Invalid property SSL_Port for HIT Registry component app24. [2015-02-06T01:11:05.141+00:00] [FM] [WARNING] [] [oracle.FM.HSX.SERVER.oracle.epm.fm.hsxserver.service.HsxServerServiceManager] [tid: 10] [ecid: 0000KhSSAzEEgKYjLpqIOA1Kp1Ib000000,0] [SRC_CLASS: oracle.epm.fm.hsxserver.service.HsxServerServiceManager] [SRC_METHOD: init] An error occurred retrieving property SSL_Port from EPM registry, using default value :9092.[...] [SRC_METHOD: init] isSSLEnabled :false

Ouch, it looks like HFM is just ignoring our settings. Old-hat EPM infrastructure hackers at this point are probably thinking "Hold on, I know those 'not found' properties; they're usually seen on web-app nodes!" and that's exactly it. The HFM server fancies itself a web-app, and looks for web-app properties in its registry node; but that node is actually a custom non-standard type with non-standard properties "isSslEnabled" and "ssl_port" (lowercase).

To verify that HFM was not encrypting anything, I dusted off my miserable Wireshark skills and logged some network traffic.

As you can see in the screenshot, data originating from the HFM application server and using ports in the range used by HFM, are sending data down the wire completely unencrypted. Malicious actors could hide somewhere in your company network and silently siphon away all your precious financial data with minimal effort. If you care about security, you'll likely want to give this HFM release a wide berth, at least until this bug is fixed.

Bonus: The Strange Case of The Masqueraded Weblogic

As I mentioned above, the HFM application server is not officially a Weblogic instance. So why is it trying to look up registry properties typical of Weblogic instances? Maybe because it is, in fact, a bastardised Weblogic. If we look at the startup parameters configured in Windows Registry, we find the following:

What's that? A Weblogic parameter? Indeed it is. And why is it there? By default, Weblogic will use the cryptographic extensions found in the JDK (or JRockit) in which is running. By setting "nojce" to True, you can tell Weblogic to actually use its internal implementation of such extensions (which were probably developed by BEA back in the days, when crypto support in the JDK was a bit shaky). If you are bastardising weblogic, I guess you can also replace some of these classes with your custom versions, which is probably what Oracle was trying to do here.