Why... Why... Why?
This blog is dedicated to documenting error resolution and other tidbits that I discover while working as a Consultant in the Oracle EPM (Hyperion) field. As much of my job revolves around issue resolution, I see an opportunity to supplement the typical troubleshooting avenues such as the Oracle Knowledgebase and Oracle Forums with more pinpointed information about specific errors as they are encountered. Beware, the information found in this blog is for informational purposes only and comes without any warranty or guarantee of accuracy.

EPMVirt: Create your own Oracle Hyperion Virtual Environment:

Sunday, September 20, 2015

SHA2 SSL Certificates are Coming

A relatively low key change is being embraced quickly by the security industry and it may impact Oracle Hyperion installations. When using SSL certificates there is a specific encryption algorithm used to sign the certificates. This algorithm for a long time was SHA1. However, SHA1 is an old technology and can now be cracked easily. It is no longer secure to use SHA1. Consequently, the industry is swiftly moving to SHA2. As of Jan 1st, 2016 no SHA1 certificates can be issued, forcing the change to SHA2.

One of the better writeups I found on the issue is:
http://www.infoworld.com/article/2879073/security/all-you-need-to-know-about-the-move-to-sha-2-encryption.html

What does this mean?
Some older software has trouble with the SSL handshake using SHA2. For instance with Oracle Database, SHA2 was only supported starting with 11.2.0.3.
http://docs.oracle.com/cd/E11882_01/server.112/e41360/chapter1_11203.htm
Since then some products have been back ported to support SHA2, but likely require patches. The SHA2 change mostly impacts integrating with older systems using SSL. However, anything touching SSL can be impacted. It will be necessary to identify and test any integration points in your environment with SSL. A few examples include:

  • WebLogic
  • LDAP providers
  • Single Sign On providers
  • SSL database connections (DRM, FDM, Essbase...etc)
  • SOA / Web Services interactions
Don't panic. Most Hyperion sites do not make heavy use of SSL. Perhaps just offloading at the Load Balancer. However, sites that have integrated SSL more thoroughly in the environment may be impacted.


Browsers are already starting to call out insecure sites. For instance taking a look at Wells Fargo in Chrome, points out the connection to www.wellsfargo.com is using an obsolete cipher suite.

Taking a look at the certificate details:

However, most sites have already converted. The google.com cert shows the SHA2 certificate.


Your company will be upgrading soon, if not already. Consequently, it's time to start testing your SSL connections with SHA2 to make the transition smoothly.

1 comment: