Monday Sep 05, 2011

EPM - Essbase Agent may hang due to higher LDAP timeout set in Shared Services

Applies To: EPM

If you see error “LDAP response read timed out timeout used.....” in SharedServices_SecurityClient.log file, then lower the default value of this timeout for external providers. This may cause Essbase Agent process to hang so lowering this timeout value may help to resolve the Essbase agent hang issue.

Tip: The parameter used to configure this timeout is "dirContextReadTimeOut" (in CSS.xml setting). The default value is 2 minutes (120000 ms). For example, you can set this using syntax <dirContextReadTimeOut>30</dirContextReadTimeOut> (in seconds). This is configured inside a LDAP/MSAD provider.

Saturday Sep 03, 2011

EPM 11.1.2 - Exporting Security out of Hyperion Planning application

You can extract security information out planning application using the following script on Planning SQL tables,




Tuesday Aug 30, 2011

EPM 11.1.2 - EPM / BI Whitepapers on OTN

You can find useful EPM whitepapers at EPM / BI Whitepapers section on OTN >

EPM 11.1.2 - HBR Cross-dimensional operator with the CCONV command

If you use a cross-dimensional operator with the CCONV command in a calc script/HBR, the calc script/HBR may not validate successfully and you might run into an error like below,

Detail: Encountered "->" at line n , column n. Was expecting:    ";" ...

Possible Solution: Apply Hyperion® Business Rules Release Patch Set Exception (PSE): 11823749

Wednesday Aug 24, 2011

EPM 11.1.2 - In Essbase, use default values for timeouts

; NETDELAY                             ;It is recommended to use default value (200)*

; NETRETRYCOUNT                  ;It is recommended to use default value (600)*

Important Note*: It is recommended to set the timeout to default values, which is 2 minutes.  If need be, the max amount of timeout that is recommended should not be above 5 minutes.

Tip: How to calculate the timeouts from these settings, i.e.

NetDelay (200) is in milliseconds so divide by 1000 then multiple by NetRetryCount (600) to get timeout in seconds, for example:

(200/1000) * 600 = 120 seconds (120/60 = 2 minutes)

EPM 11.1.2 - Add NO_HOSTNAME_LISTCONNECT Configuration Setting for Essbase

When using the display session in MaxL statement or EAS sessions console to view active login sessions, specifies whether to convert the IP address of the client computers that are logged into Essbase to the computer’s hostname. When set to TRUE, IP addresses are not converted to hostnames, which improves the performance of the display session MaxL statement.


Tip: The setting should be NO_HOSTNAME_LISTCONNECT TRUE in the essbase.cfg file.

Friday Jul 01, 2011

EPM 11.1.2 - In EPM distributed install and config, unable to start Foundation / Planning web application due to JDBC error and invalid SQL object errors in Foundation / Planning web log


When setting up EPM in distributed environment, if you are keeping the configtool up on the two boxes and going back and forth configuring more; configtool will have an old view of registry if say you configure on box1, anything, then start configtool on box2, whatever you configure, then return to box1, tool still up and return to task panel and continue configuration.

Similarly if you start configtools on box1 and box2 and sit on task panel for each; go to box1, then configure anything; got to box2 and configure anything, registry will not be correct.


EPM JDBC datasources db credentials in WebLogic Server may have changed during configuration in distributed install. Double check in WebLogic Server console for each EPM JDBC data source e.g. EPMSystemRegistry etc. 

Important Note: Configtool is a single user, single instance tool and should/must be shut down before proceeding to next box.

EPM 11.1.2 - In Foundation Services, binder exception causing login and lockout issues with MSAD provider

Possible symptoms and errors:

  1. EPMCSS-00301: FAILED TO AUTHENICATE USER INVALID CREDENTIALS error thrown upon login into workspace even with correct credentials
  2. MSAD account gets locked after successive login failure attempts
  3. Unable to login with native "admin" and MSAD admin user

SharedServices_Security.log file shows the following,

[FoundationServices0] [ERROR] [EPMCSS-07047] [oracle.EPMCSS.CSS] [tid: 18] [userId: <anonymous>] [ecid: 0000J2MAfXF6QPP6yf7i6G1DyLC900000p,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [APP: WORKSPACE#] [SRC_METHOD: init] Failed to get connection [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db0] from connection pool for user directory <directory_name>. Error executing query. {2}. Verify user directory configuration.


AcceptSecurityContext error, data 775, v1db0” means the bind userid or the bind password for MSAD is not set correctly. This could be the reason that the account is getting locked out. The MSAD provider code is trying to initialize the msad provider with the provided user/password. After three attempts of a bad login, MSAD locks out the account.

If “admin” user is not able to login, that could be because there could be duplicate “admin” user both in MSAD and Native Directory. First it goes to MSAD and authentication fails as it is not able to get the JDNI connection and then it goes to Native Directory. It fails with Native Directory because of password mismatch.


  1. validate the MSAD bind userid and password in the MSAD configuration screen in HSS.
  2. change the password for MSAD provider and restart foundation services
  3. By: Ruben V

Thursday Jun 30, 2011

EPM 11.1.2 - Issues during configuration when using Oracle DB if not using UTF8

If you see issues during configuration when using Oracle DB if not using UTF8:


a. During configuration of EPM products, a warning message is displayed if the Oracle DB is not UTF8 enabled. If you continue with the configuration, certain products will not work as they will not be able to read the contents in the tables as the format is wrong.

b. The Oracle DB must be setup to use AL32UTF8 or a superset that contains AL32UTF8.

c. The only difference between AL32UTF8 and UTF8 character sets is that AL32UTF8 stores characters beyond U+FFFF as four bytes (exactly as Unicode defines UTF-8). Oracle’s “UTF8” stores these characters as a sequence of two UTF-16 surrogate characters encoded using UTF-8 (or six bytes per character). Besides this storage difference, another difference is better support for supplementary characters in AL32UTF8 character set.

EPM 11.1.2 - Configure a data source to support Essbase failover in active-passive clustering mode

To configure a data source to support Essbase fail-over in active-passive clustering mode, replace the Essbase Server name value with the APS URL followed by the Essbase cluster name; for example, if the APS URL is http://<hostname>:13090/aps and the Essbase cluster name is EssbaseCluster-1, then the value in the Essbase Server name field would be:


Note: Entering the Essbase cluster name without the APS URL in the Essbase Server name field is not supported in this release.

Wednesday Jun 29, 2011

EPM 11.1.2 - Receive Anonymous Level Security token message in IE8 when trying to access Shared Services or Workspace URL

If you get "Receive Anonymous Level Security token" message in IE8 when trying to access Shared Services or Workspace URL.

a. Go to Start > Run and enter dcomcnfg
b. Expand Component Services, Expand Computers and right click on My Computer and select Properties
c. Click on the Default Properties tab.  Change the Default Authentication Level to Connect.  Click apply and then OK.
d. Launch the IE browser again and you will be able to access the URL.