SSL and Load Balancing in 11.1.2.1 OHS -> IIS

In 11.1.2.1 if you are using SSL and Load Balancing from OHS to IIS (ProxyPass, ProxyPassReverse) then you will need this knowledgebase article. The OHS to IIS connection is used for the Hyperion modules, HFM, FDM, DRM, EPMA. The solution disables the SSL Caching because it's not handled correctly and you will receive a ton of errors.

Financial Management Error "Bad Gateway. Request could not be processed. Invalid response received by proxy or gateway server" When Browsing Content Within an Application [ID 1385480.1]

Applies to:

Hyperion Financial Management - Version: 11.1.2.1.000 and later   [Release: 11.1 and later ]
Information in this document applies to any platform.

Symptoms

Users receive the following error messages a few minutes after they start accessing Financial Management (HFM) application content (e.g. opening HFM applications, opening HFM web forms, etc.):

Bad Gateway
Request could not be processed. Invalid response received by proxy or gateway server

Notes:

• Users access the Workspace user interface through OHS (Oracle HTTP Server),
• SSL has been enabled on both OHS (Workspace web server) and IIS (HFM web server).

The below error message is being returned in the OHS error log at the time of the issue:

[tid: 3044] [user: SYSTEM] [VirtualHost: epmdev.hyperion.com:0]
ssl_engine_kernel.c:2363: Inter-Process Session Cache: request=REM status=OK
id=65376265333730333164633838663538373 (session dead)^M
[2011-11-23T22:28:23.2350-08:00] [OHS] [NOTIFICATION:32] [OHS-9999] [core.c]
[host_id: vm0sgennai127] [host_addr: 192.168.0.127] [pid: 4440] [tid: 3044]
[user: SYSTEM] [VirtualHost: epmdev.hyperion.com:0] (OS 10054)

Cause

The error code 10054 visible in the OHS log file indicates that the error occurred on the other side of the connection (i.e. on the IIS side in this case), causing the connection to drop. In particular, IIS is dropping the connection with OHS on asp pages during the SSL handshake, causing users to receive a '502 Bad Gateway' error message when attempting to access HFM content through Workspace.

This issue only occurs if the session cache is enabled on the OHS side. The session cache allows existing SSL sessions to be resumed ('cheaper handshake'). While resuming existing SSL sessions between the OHS and the IIS components, IIS drops the connection during the handshake. This is when the issue occurs.

Solution

IIS is unable to handle the resuming of cached SSL sessions properly. Thus, disabling such session caching prevents the issue from occurring.

Please find below the steps to be followed for disabling the session caching on the OHS side:

Note: These steps have to be followed on any server hosting the Oracle HTTP Server (OHS) component.

1. Navigate to the below folder:
   
   <ORACLE_HOME>\Middleware\user_projects\epmsystem1\httpConfig\ohs\config\OHS\ohs_component
2. Make a backup copy of the file SSL.conf
3. Open SSL.conf in a text editor (ie. Windows Notepad)
4. In the file find the following section:
   
   # Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
SSLSessionCache "shmcb:${ORACLE_INSTANCE}/diagnostics/logs/${COMPONENT_TYPE}/${COMPONENT_NAME}/ssl_scache(512000)"
SSLSessionCacheTimeout 300
   Modify this file section, so that it looks like this:
   
   # Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
# SSLSessionCache "shmcb:${ORACLE_INSTANCE}/diagnostics/logs/${COMPONENT_TYPE}/${COMPONENT_NAME}/ssl_scache(512000)"
# SSLSessionCacheTimeout 300
SSLSessionCache none
SSLSessionCacheTimeout 15
5. Save and close the file.
6. Restart the OHS component for the changes to be taken into account - for instance by restarting the 'Oracle Process Manager (ohsInstanceXXXXXXXX)' service.