Thursday, 28 February 2013

Financial Reporting Studio firewall fun

Another quick blog from me, I was recently working on an 11.1.2.2 windows environment build with a customer who had a strict policy to enable the windows firewall between servers and the users accessing the system, I have never really had much dealings with firewalls as I have been lucky enough to work with internal networks which have been firewall free.

I had no issues with the server to server communication and the users were mainly accessing the system through the web using OHS on port 19000 and the Excel addin (it still lives on), these also proved to be no problem on the firewall front.

There were a number of power users who were also report building with the Financial Reporting Studio, now Financial Reporting has never been a friend of mine and it is has been designed to give me grief.

If you have ever configured a firewall for Financial Reporting Studio then this will probably be no interest for you and you can have a nice cup of tea and devote your time to a different blog :)

I stupidly though that by now in the 11.1.2.2 world that the FR studio will just go through the http server port 19000 and all will be good but no it still seems it living with its looks in prehistoric times.

Anyway, port 19000 was already opened to allow inbound traffic to the web server.


Ok, time to log into the Financial Reporting Studio on a client machine.


Now if you have never seen the above message before you have never used FR Studio, it basically means some sort of problem exists and you are going to have to spend time trying to work it out what because there seems to have been no investment in all these years FR studio has existed in error trapping and messaging.

I have lost count of the amount of times I have seen this message be posted on forums and if you search for the message in Oracle Support you will be inundated with articles.

A quick look at the “Oracle Enterprise Performance Management System Communication Flows” spreadsheet reveals the following:


So the Studio does not just communicate directly with the HTTP server and also requires the RMI default ports of 8205-8209 opening.


The RMI ports are added to the firewall rules so time to try again.


The login was successful so case closed; come on this is FR studio we are talking about life is not so simple…
Opening a report produced:


The communication flow document did not highlight any additional ports for the Studio use but obviously it does use some.

A Wireshark trace highlighted:


 The FR Studio was communicating on a dynamic port.


I referred to the ports section of “Oracle Enterprise Performance Management System Installation Start Here” and it contained more information than the flows spreadsheet by specifying that FR also uses an ADM server with dynamic ports which can be configured in a propertiesd file.

I always incorrectly thought the ADM communication was internal but apparently not though why does it need to be dynamic?
 

Just when you think that most of the properties have been moved to the Shared Services registry you find out there are more file based ones out there.

As you can see there is commented out parameter ADM_RMI_SERVER which must mean that it takes the default value or 0 and a dynamic port range.


I set the port to a value close to the other RMI service port range and restarted the Financial Reporting web app.


 The new port was added to the inbound firewall rules.

 

Opening financial Reports was successful and there were no other notable problems, now I know there is an article in Oracle Support on a similar topic but personally I find that trying to solve the issue first proves to be much more satisfying than being handed something on a plate.

One more thing if you do see the following error popup when you log into Financial Reporting Studio:


It might be down to the version of the Studio, in my case I was running 11.1.2.2 Studio and Financial Reporting had been patched to 11.1.2.300 so it is always good to make sure the versions are exactly in sync, this can simply be achieved by downloading Studio from Workspace.

4 comments:

hyperionEPM said...

Hello John,

Thanks a lot for your valuable inputs.

We are also facing an issue where client has a firewall in place and they are unable to access FR studio from their client machines in spite the port being open. I think its the Remote ADM Port that is causing the issue. We will try the same at our end and will give it a try.

Thanks,
hyperionEPM

Philip said...

Hello John.

We had this issue - the continually changing ports. Good old Oracle.
The ADM.Properties change fixed the main issue.
However, have you ever seen this? The client opens ok and if you click on the icon to open the reports root folder it works fine, but if you try to use it hangs for 3 minutes then you get an app crash.

Interestingly, this doesn't occur from a machine within the secure vlan itself, suggesting that it's a firewall issue.
I can't for the life of me find where or what port it might be though.
Anyway, thanks for this article. It was very helpful.
Philip

Anonymous said...

Hi John,

Is this the same process for FR studio in 11.1.2.3? In 11.1.2.3 epm communication flow excel file there is a comment "For websphere only" for the RMI protocol rows. Do we need to open the ports (8205-8209 & Dynamic port) in 11.1.2.3 also?

Thanks
HypEPM

John Goodwin said...

In 11.1.2.3 the studio should only communicate through the http web server.