How to Encrypt Essbase Maxl Scripts 46

This blog which I’m going to write….probably you all know about this….but I was unaware….So this is for those souls who still don’t know the trick.

It’s a challenge of every Essbase developer when it comes to the security be if Filters, Maxl scripts…..and especially Maxls….

Maxl script needs a username and password to be passed as a prompt or you should hard cord it into the script, which in turn somebody can access the script and learn the Admin username and password….which in turn is a risk….I know many will have counter arguments that will include….the person who is having access to the server should be an admin (yes I always use this argument to counter the infrastructure counterpart).

So what I used to do was to use a java util to encrypt the password and use that as the original password and fool people saying that it is an encrypted one….smart ain’t it…..

But now I learned something where I can use Maxl itself to encrypt the username and password and even strings that is used in the Maxl.

So here we go.

Open up a command prompt and issue command essmsh -gk to create a public key and private key for your essbase server.

C:Usersckattookaran>essmsh -gk

 Essbase MaxL Shell – Release 9.3.1 (ESB9.
 Copyright (c) 2000, 2007, Oracle and/or its affiliates.
 All rights reserved.
 Public Key for Encryption: 25159,850102129
 Private Key for Decryption: 240764119,850102129

  MaxL Shell completed

The Public key will be used for encrypting the Maxl and Private key to de-crypt it.

So as an example I’m using a Maxl which a simple login MaxL.

spool on to ‘C:\Hyperion\Maxl_Logs\login.log’;
login admin password on locahost;
spool off;

Issue the command essmsh -E to encrypt the Maxl script

essmsh -E “c:UsersckattookaranDocumentsMy DataMaxl &
Shell scriptslogin.txt” 25159,850102129

After the command is successfully completed you’ll now have a file with .txts extension (this may vary with the extension that you are using for the Maxl, if you are using .mxl then it’ll be .mxls)

The content of the .txts file is 

spool on to ‘C:\Hyperion\Maxl_Logs\login.log’;
login $key 582033048551405370673192053444359748281400644 $key 010812008451704913969265807220406317 on on locahost;
spool off;

Now we can look at the string encryption, let say that I don’t want the to reveal the server name then you can issue the command essmsh -ep to encrypt the string.

C:Usersckattookaran>essmsh -ep localhost 25159,850102129

 Essbase MaxL Shell – Release 9.3.1 (ESB9.
 Copyright (c) 2000, 2007, Oracle and/or its affiliates.
 All rights reserved.

 Encrypted Data: 342268018499721804402002180168360995190940510637239348732675267

  MaxL Shell completed

So now that the Maxl is encrypted we can run the Maxl using and Private Key.

essmsh -D “c:UsersckattookaranDocumentsMy DataMaxl &
Shell scriptslogin.txts” 240764119,850102129

So that’s about Encryption of Maxl scripts.

Update 04/07/2014

Now you might be wondering why a update on this after 4 years (this was published on 5/2/10 – almost 4 years). This blog post ruined the weekend of two people I admire 🙁

Seems like you cannot encrypt anything other than usernames and passwords. The above example of encrypting Essbase server name is not working. I tried it on v11.1.1.3, v11.1.2.2, v11.1.2.3 (Now I’m not even sure whether it was ever working)

Another word of caution to all those who are using Essbase Studio generated MaxL scripts in automation, you cannot encrypt those ones.

About Celvin Kattookaran

I’m an EPM Consultant, my primary focus is on Hyperion Planning and Essbase. Some of you from Hyperion Support team might recognize me or have seen my support articles, I was with the WebAnalysis Support Team. I'm an Independent Consultant with “Intekgrate Corporation” based out of Aurora office. I’m from God’s Own Country (Kerala, India), lived in all southern states of India, Istanbul and Johannesburg (and of course United States). I’m core gamer :) and an avid reader. I was awarded Oracle ACE Director for my contributions towards EPM community.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

46 thoughts on “How to Encrypt Essbase Maxl Scripts

  • Maddy

    Hi Celvin,

    Even i heard about this but did not implement, now we have started using this in our current project.

    beyond this you can encrypt the database user and password also in maxl log file while loading the data using sql interface but there are known bugs in this in 9.3.1 version.

    hope this is fixed in 11.1.2.


  • CV Kattookaran


    Expand projects…..then go to analytic services…and select the application you wish to provide the filter access….it'll open a windows with all the users that have access to that application.

    select the users and click next provide the filter access….(User the should be first provisioned as filter access user)

  • Attili

    Hi celvin if i forgot the admin password , i have encrypted file then , what is the proceess to identify my current password

  • Celvin Kattookaran

    I don't think you can decrypt that key. It'll be like hacking the password. Which version is this, I know that earlier version (9.3) used SHA encryption. When it was using LDAP, you can login to LDAP using an LDAP browser and change the password. Do you have any other user which has the privileges to change admin's password, that would be the last option

  • Saidas BM

    Hi Celvin , essmsh – gk did generate the key . But for which server does it refer to . I have not mentioned any local host , how does it even generate keys ?
    Secondly I tried essmsh -E "c:Endlogin.txt" 25159,850102129 and it never returned any value to the text file. Any comments Celvin ?

  • Saidas BM

    I did use the key generated in my local machine . This is what I did
    a> essmsh – gk
    Got Public and Private Keys

    b> essmsh
    Entered into Maxl

    Maxl> spool on to "c:logs.log"
    Maxl> login admin password on localhost;
    Maxl> essmsh -E "C:Encryptionkeys.txt" Encryption keys

    Do not see this working !!

  • Saidas BM

    Celvin , after i used this command
    Maxl> essmsh -E "C:Encryptionkeys.txt" Encryption keys , I dint see anything in the keys.txt file in C: folder .I created Keys.txt and tried running again but did not see anything in the file !!

  • Saidas BM

    Hi Kelvin , I created a test.mxl file and it worked . Thanks !! I just have a concern here , when we use essmsh -gk we get Public and Private keys . But to which server those keys are associated with . Are they Generic , just not sure what is the logic behind that.

  • Anonymous

    Celvin , I wanted to create keys in the Prod server . The same process worked in my Local machine , but in server it is not even accepting essmsh -gk when I go to command prompt. It is giving some error that Invalid command etc .

  • Anonymous

    Celvin , This is what I did in Essbase server:

    When i type essmsh -gk , I see "error initializing localization module".

    Its not about getting into Maxl shell , but about generating keys . When I try the same from my local machine it works .

    I know that there are certain paths for startMaxl.bat or essmsh.exe . The whole point is not about getting into Maxl but about the recognition of essmsh – gk !!

    Any idea about what needs to be done ?

  • Anonymous


    I have created the test.mxls file with encypted ID and password on window essbase server. where do I save this ID and password and what format for batch job to use? Please let me know.


  • Anonymous


    I do have the keys now but, unable to login with those keys. i am getting error unable to login error message when I use those keys. Do you have any idea on this?


  • TimG

    Hi Celvin – in the -ep example, have you encrypted just the word "localhost", or have actually encrypted the whole script?

  • TimG

    Thanks Celvin. I've been playing around trying to get it to encrypt the entire script. Jjust encrypting the credentials makes it very easy for a malicious user with access to the 'scripts' directory to modify the script to do something it shouldn't, even though he or she doesn't know the password (a criticism of MaxL, not your blog post!).

    That string does seem to long to just be "localhost", yeah. 🙂

  • Celvin Kattookaran

    I'm sorry that this post ruined your and Cameron's weekend. I tried to see whether I still have the script and I cannot find it. I tried testing in on different versions I've and seems like it is not working.

    I swear that I did this at a client, however now I doubt that myself, maybe I thought of doing it and never did it.

    Now I doubt whether it was ever working. TechRef seems to say that you can encrypt data (not just credentials)

  • Cameron Lackpour

    Ruined my weekend? No,but a bit frustrating. That was my own doing, though.

    I kept on thinking, "Well, Celvin says it works. So what am I doing wrong?" More MaxL madness.



    Cameron Lackpour

  • Syed

    I am able to encrypt and run the scripts with all the process but how to embed this in a batch script.How to call all these -gk, -E & -d scripts in batch?

    Or if I generate keys manually and just add -d script in the batch , will it work? If yes how to add that script…?

    Your help is most appreciated

  • Sri

    i have a MAXL batch running from workspace. workspace server has essbase client installed.i need help in implementing encription/decryption here.
    any help will be appreciated

  • arjun

    Hi Celvin,

    Let me explain you the full scenario.

    First, we have some confusion with Environment Variables. Our environment is Distributed setup, we have combination of Windows and Unix(Only Essbase).

    The environment variables are setup as in unix as

    Secondly, do we need to setup variables in Windows as well?

    If so, do we need to place both the variables or only Essbasepath.
    Is it is Essbasepath, may I know the exact path or it is same as mentioned above.

    The reason we are asking this question , we are getting the below error when we run the msh
    D:OracleMiddlewareEPMSystem11R1commonEssbaseRTC11.1.2.0bin>essmsh -gk
    'essmsh' is not recognized as an internal or external command,
    operable program or batch file.

    Please advise

    Thanks in advance

  • Celvin Kattookaran

    In 11.1.2.x you should be using startMaxl.cmd.

    Now if you are going to (continue)use(ing) essmsh, then you'll have to update your bat file with the contents from startMaxL.cmd.

    Don't update ENV variables. Also just search for that error in OTN or Google it, you'll find tons of articles talking about it.

  • arjun

    Hi Celvin,

    Many thank for the information, But in our instance essbase path is not set up in windows environment ( our environment is distributed) essbase server resides in unix.


  • arjun

    My Gererate key Batch scritps is like this:
    set ESSBASEPATH=D:OracleMiddlewareEPMSystem11R1productsEssbaseEssbaseClient

    %ESSBASEPATH%binstartMaxl.bat -gk > Keys.txt

    if we are not setting essbase path in windows environment variables, will the above script works?

  • Celvin Kattookaran

    That is fine. You don't need to set up environmental variables in Windows to run MaxL, that is what startMaxl.cmd does.

    so the keys are getting generated when you run that bat file. Then why are you not executing your maxl script the same way. It is not easy to troubleshoot using a blogger comment session. I would love to help you out. But i think this is not the right place.

    If you are still facing an issue please raise an SR. Again for running a maxl script in 11.1.2.x you should be using

    %ESSBASEPATH%binstartMaxl.bat /yourmaxl.msh