Security is always an Important things that Client consider everytime.
Clients are becoming increasingly concerned with security within their Hyperion environment, and rightly so. Having administrator credentials hard-coded into our scripts is not a real secure solution. The real solution is to encrypt the administrator credentials using public and private keys within a Windows environment. NOTE that this approach written and tested using a Windows 2008 R2 Standard Server.
Steps to Encryption
Step 1: Initiate a remote desktop connection onto the Essbase server.
Your MaxL scripts don’t necessarily have to reside on the Essbase server, but the MaxL shell does need to be properly configured so that you can access the Essbase shell by typing ‘startmaxl into the command prompt from any directory.
Step 2: Open a command prompt window, and type…
This command creates the Public and Private keys that you will be using. The Public key is used to encrypt your scripts, while the Private key is used to decrypt your script prior to runtime.
Step 3: Open a blank notepad document and record both of these keys, as you will be using them several times…
Public Key: 21157,1723372087
Private Key: 1186517533,1723372087
With an un-encrypted script, the admin credentials can be entered into the MaxL script file itself, or passed into the script from the DOS batch file via instance variables…
In MaxL File:
login admin password on aphrodite;
Passed to MaxL File from DOS batch:
startmaxl script_to_be_run.mxl admin password aphrodite
login $1 $2 on $3;
For the encryption to work, the admin credentials must be in the MaxL file itself, and not passed in as instance variables.
For simplicity, navigate to the directory where your MaxL script resides, (C:\TopDown\Essbase) in this example.
Issue the following command…
startmaxl –E script_to_be_encrypted.mxl 21157,1723372087
Where 21157,1723372087 is the Public key you created previously.
Issuing this command creates a copy of your MaxL script and adds an ‘s’ to the file’s extension. You can use .msh, .mxl, or even .txt for your scripts. After encryption, these will be .mshs, mxls, or .txts respectively. The new file will be created in the same directory as its original.
If you open the new script that was just created, you can see what has changed…
Notice the username and password are no longer visible.
Now you can test your newly created, encrypted script. Issue this command…
startmaxl –D script_to_be_encrypted.mxls 1186517533,1723372087
Where 1186517533,1723372087 is your Private key.
If your script executes, delete the original MaxL file, empty the trash, and you’re done!
Repeat for all of your MaxL scripts using the same Public and Private key pair.