This blog which I’m going to write….probably you all know about this….but I was unaware….So this is for those souls who still don’t know the trick.
It’s a challenge of every Essbase developer when it comes to the security be if Filters, Maxl scripts…..and especially Maxls….
Maxl script needs a username and password to be passed as a prompt or you should hard cord it into the script, which in turn somebody can access the script and learn the Admin username and password….which in turn is a risk….I know many will have counter arguments that will include….the person who is having access to the server should be an admin (yes I always use this argument to counter the infrastructure counterpart).
So what I used to do was to use a java util to encrypt the password and use that as the original password and fool people saying that it is an encrypted one….smart ain’t it…..
But now I learned something where I can use Maxl itself to encrypt the username and password and even strings that is used in the Maxl.
So here we go.
Open up a command prompt and issue command essmsh -gk to create a public key and private key for your essbase server.
C:Usersckattookaran>essmsh -gk
Essbase MaxL Shell – Release 9.3.1 (ESB9.3.1.0.0B181)
Copyright (c) 2000, 2007, Oracle and/or its affiliates.
All rights reserved.
Public Key for Encryption: 25159,850102129
Private Key for Decryption: 240764119,850102129
MaxL Shell completed
The Public key will be used for encrypting the Maxl and Private key to de-crypt it.
So as an example I’m using a Maxl which a simple login MaxL.
spool on to ‘C:\Hyperion\Maxl_Logs\login.log’;
login admin password on locahost;
spool off;
logout;
exit;
Issue the command essmsh -E to encrypt the Maxl script
essmsh -E “c:UsersckattookaranDocumentsMy DataMaxl &
Shell scriptslogin.txt” 25159,850102129
After the command is successfully completed you’ll now have a file with .txts extension (this may vary with the extension that you are using for the Maxl, if you are using .mxl then it’ll be .mxls)
The content of the .txts file is
spool on to ‘C:\Hyperion\Maxl_Logs\login.log’;
login $key 582033048551405370673192053444359748281400644 $key 010812008451704913969265807220406317 on on locahost;
spool off;
logout;
exit;
So now that the Maxl is encrypted we can run the Maxl using and Private Key.
essmsh -D “c:UsersckattookaranDocumentsMy DataMaxl &
Shell scriptslogin.txts” 240764119,850102129
So that’s about Encryption of Maxl scripts.
Update 04/07/2014
Now you might be wondering why a update on this after 4 years (this was published on 5/2/10 – almost 4 years). This blog post ruined the weekend of two people I admire 🙁
Seems like you cannot encrypt anything other than usernames and passwords. The above example of encrypting Essbase server name is not working. I tried it on v11.1.1.3, v11.1.2.2, v11.1.2.3 (Now I’m not even sure whether it was ever working)
Another word of caution to all those who are using Essbase Studio generated MaxL scripts in automation, you cannot encrypt those ones.
Update 04/07/2014
Now you might be wondering why a update on this after 4 years (this was published on 5/2/10 – almost 4 years). This blog post ruined the weekend of two people I admire 🙁
Seems like you cannot encrypt anything other than usernames and passwords. The above example of encrypting Essbase server name is not working. I tried it on v11.1.1.3, v11.1.2.2, v11.1.2.3 (Now I’m not even sure whether it was ever working)
Another word of caution to all those who are using Essbase Studio generated MaxL scripts in automation, you cannot encrypt those ones.
Hi Celvin,
Even i heard about this but did not implement, now we have started using this in our current project.
beyond this you can encrypt the database user and password also in maxl log file while loading the data using sql interface but there are known bugs in this in 9.3.1 version.
hope this is fixed in 11.1.2.
cheers
Raj
Hi
how to provide filter to user using shared services
Srini…..
Expand projects…..then go to analytic services…and select the application you wish to provide the filter access….it'll open a windows with all the users that have access to that application.
select the users and click next provide the filter access….(User the should be first provisioned as filter access user)
Hi celvin if i forgot the admin password , i have encrypted file then , what is the proceess to identify my current password
SSH2}z/+HUITpFNaCoJ/MZnqHoeA/bHJXEVOgv/fTVI7oh5ltcSF0XD6NC/Tw0+kD0Fsi
I don't think you can decrypt that key. It'll be like hacking the password. Which version is this, I know that earlier version (9.3) used SHA encryption. When it was using LDAP, you can login to LDAP using an LDAP browser and change the password. Do you have any other user which has the privileges to change admin's password, that would be the last option
This is very helpful! I will probably be implementing this very soon. Thanks!
Hi Celvin , essmsh – gk did generate the key . But for which server does it refer to . I have not mentioned any local host , how does it even generate keys ?
Secondly I tried essmsh -E "c:Endlogin.txt" 25159,850102129 and it never returned any value to the text file. Any comments Celvin ?
You will run that on the essbase server. It don't need a server name.
For encrypting you should use the public key
I did use the key generated in my local machine . This is what I did
a> essmsh – gk
Got Public and Private Keys
b> essmsh
Entered into Maxl
Maxl> spool on to "c:logs.log"
Maxl> login admin password on localhost;
Maxl> essmsh -E "C:Encryptionkeys.txt" Encryption keys
Do not see this working !!
you'll have a file which has those commands. So when you essmsh -E "C:Encryptionkeys.txt" it is thinking that there is a file called keys.txt with the maxl to encrypt.
Celvin , after i used this command
Maxl> essmsh -E "C:Encryptionkeys.txt" Encryption keys , I dint see anything in the keys.txt file in C: folder .I created Keys.txt and tried running again but did not see anything in the file !!
What is there in keys.txt?
All your MaxL commands must be there in it
Hi Kelvin , I created a test.mxl file and it worked . Thanks !! I just have a concern here , when we use essmsh -gk we get Public and Private keys . But to which server those keys are associated with . Are they Generic , just not sure what is the logic behind that.
It is associated to the server where you ran the command
Celvin , I wanted to create keys in the Prod server . The same process worked in my Local machine , but in server it is not even accepting essmsh -gk when I go to command prompt. It is giving some error that Invalid command etc .
That week is telling you that there is an issue with the path variable. Open a command prompt and navigate to the directory which has essmsh
Celvin , This is what I did in Essbase server:
When i type essmsh -gk , I see "error initializing localization module".
Its not about getting into Maxl shell , but about generating keys . When I try the same from my local machine it works .
I know that there are certain paths for startMaxl.bat or essmsh.exe . The whole point is not about getting into Maxl but about the recognition of essmsh – gk !!
Any idea about what needs to be done ?
Never mind . I had to set environment variable in Local . I could run essmsh .Will try in server and Update Celvin , Thanks !!
Did you check the reply from Glenn in OTN?
Yes Celvin , I did . Thanks !!
Hi celvin,
How i will apply this encryption to Linux based essbase server
@sandeep did you try the steps described here?
yes celvin i have tried and it is working in my local computer as well.Thanks
Hi,
I have created the test.mxls file with encypted ID and password on window essbase server. where do I save this ID and password and what format for batch job to use? Please let me know.
thanks
Run it using -D switch
essmsh -D "test.mxls"
thanks,
I do have the keys now but, unable to login with those keys. i am getting error unable to login error message when I use those keys. Do you have any idea on this?
Thanks,
How are you using the keys? Go through the post above and see what is wrong with the script
Hi Celvin – in the -ep example, have you encrypted just the word "localhost", or have actually encrypted the whole script?
Tim I think I did localhost. However looking at the length of the string I'm not sure what I did 😉
Thanks Celvin. I've been playing around trying to get it to encrypt the entire script. Jjust encrypting the credentials makes it very easy for a malicious user with access to the 'scripts' directory to modify the script to do something it shouldn't, even though he or she doesn't know the password (a criticism of MaxL, not your blog post!).
That string does seem to long to just be "localhost", yeah. 🙂
I'm sorry that this post ruined your and Cameron's weekend. I tried to see whether I still have the script and I cannot find it. I tried testing in on different versions I've and seems like it is not working.
I swear that I did this at a client, however now I doubt that myself, maybe I thought of doing it and never did it.
Now I doubt whether it was ever working. TechRef seems to say that you can encrypt data (not just credentials)
Ruined my weekend? No,but a bit frustrating. That was my own doing, though.
I kept on thinking, "Well, Celvin says it works. So what am I doing wrong?" More MaxL madness.
🙂
Regards,
Cameron Lackpour
Hi,
I am able to encrypt and run the scripts with all the process but how to embed this in a batch script.How to call all these -gk, -E & -d scripts in batch?
Or if I generate keys manually and just add -d script in the batch , will it work? If yes how to add that script…?
Your help is most appreciated
i have a MAXL batch running from workspace. workspace server has essbase client installed.i need help in implementing encription/decryption here.
any help will be appreciated
Did you go through what is written over here? What issues are you facing?
Hi,
we are trying to encrypt the keys , But we are facing errors with initializing localization module/ can you please specify..
Which version? Are you using startMaxl.cmd if you are on 11.1.2.x?
it is 11.1.2.3
Are you using startMaxl.cmd?
Hi Celvin,
Let me explain you the full scenario.
First, we have some confusion with Environment Variables. Our environment is Distributed setup, we have combination of Windows and Unix(Only Essbase).
The environment variables are setup as in unix as
ARBORPATH=/u02/Oracle/Middleware/user_projects/hypdeveb01/EssbaseServer/essbaseserver1
ESSBASEPATH=$EPM_ORACLE_HOME/products/Essbase/EssbaseServer
Secondly, do we need to setup variables in Windows as well?
If so, do we need to place both the variables or only Essbasepath.
Is it is Essbasepath, may I know the exact path or it is same as mentioned above.
The reason we are asking this question , we are getting the below error when we run the msh
D:OracleMiddlewareEPMSystem11R1commonEssbaseRTC11.1.2.0bin>essmsh -gk
'essmsh' is not recognized as an internal or external command,
operable program or batch file.
Please advise
Thanks in advance
Arjun
no we are using essmsh.exe
In 11.1.2.x you should be using startMaxl.cmd.
Now if you are going to (continue)use(ing) essmsh, then you'll have to update your bat file with the contents from startMaxL.cmd.
Don't update ENV variables. Also just search for that error in OTN or Google it, you'll find tons of articles talking about it.
Hi Celvin,
Many thank for the information, But in our instance essbase path is not set up in windows environment ( our environment is distributed) essbase server resides in unix.
Thanks,
Arjun
My Gererate key Batch scritps is like this:
set ESSBASEPATH=D:OracleMiddlewareEPMSystem11R1productsEssbaseEssbaseClient
set ARBORPATH=%ARBORPATH%
set PATH=%ESSBASEPATH%;%PATH%
%ESSBASEPATH%binstartMaxl.bat -gk > Keys.txt
pause
if we are not setting essbase path in windows environment variables, will the above script works?
That is fine. You don't need to set up environmental variables in Windows to run MaxL, that is what startMaxl.cmd does.
so the keys are getting generated when you run that bat file. Then why are you not executing your maxl script the same way. It is not easy to troubleshoot using a blogger comment session. I would love to help you out. But i think this is not the right place.
If you are still facing an issue please raise an SR. Again for running a maxl script in 11.1.2.x you should be using
%ESSBASEPATH%binstartMaxl.bat /yourmaxl.msh
Best thing ever! And so easy! Thank you Celvin! Just got this up and running on Linux for Essbase 11.1.2.4