Creating an Essbase 19c Stack on the OCI Marketplace


Note: This process has been verified on for Essbase Build 362.

The process to build out an Essbase stack can be a tedious process, but it’s rather quick (around 1 hour) and builds out the ENTIRE instance, not just one piece. So it’s recorded for anyone out there, this is a basic installation (no load balancers, networks, etc).

I recommend having a text editor handy to record various, important pieces to the stack creation.

  1. Generate a ssh key. I have chosen to have this key stored in the default location.
  2. Add a specific Essbase Admin user in the Users section.
  1. Give the new user Admin Roles.
  2. Reset the password of the new user.
  3. Close out your browser to kill all user login links. Login as the new user.

    Enter your tenancy name.

  1. This is your Oracle Cloud Infrastructure (OCI) dashboard.
  2. Create an Essbase compartment.
  3. This is where the text editor will come into play. As is highlighted on the previous screenshot, copy the Compartment OCID to your text editor.
  4. Create a Dynamic Group.

    Click on “Rule Builder”.

    Make sure your settings are the same as mine. The “VALUE” is the Compartment OCID you recorded in the previous step.

  5. Create policies for our stack to use.Make sure choose the Compartment you created for Essbase.Copy, verbatim, the statement used below. And, yes, it is natural language, not code.

    Create another policy.

  6. We need to create the Application in the IDCS dashboard.

    Note: We will come back and change these URLs to real URLs later.

    Make sure you copy the Client ID and Client Secret to your text editor!

  7. Now we need create the Vault and Keys so that our environment is protected while we create it.

    Make sure you copy the Crytographic Endpoint URL to your text editor. You do not need the Vault OCID.

  8. Here is where you need to connect via OCI CLI. If you have not already set this up on your machine, the steps to do this are located here.
  9. Upload your oci_api_key_public.pem file to your User page.

    Encrypt your EssbaseAdmin password via the Vault Key. You can either write the oci by hand or use a script. If doing “by hand”, first convert the password to base 64.

    If using Linux, use: echo -n ‘password’ | openssl base64

    You can also use this app online.

    Via the command line, invoke oci to encrypt your admin password via the Vault Key…

    You will need to have the Crypto Endpoint and Vault Key OCID. Invoke oci kms crypto encrypt with –endpoint and –key-id ending with –plaintext base 64 password

    Note: The dashes in front of endpoint, key-id, and plaintext are double dashes, not single dashes. WordPress keeps dropping the second dashes! SEE THE SCREENSHOT BELOW.

    oci kms crypto encrypt –endpoint –key-id ocid1.key.oc1.iad.blahblahblahblah33 –plaintext PasswordAsBase64

    You will get a return value of “ciphertext”. Copy what is between the quotes and put it in your text editor.

  10. Build the Essbase 19c Stack.

    Make sure you choose the correct Essbase Compartment.

    Give your Stack a name.

    This is where your text editor comes in handy…

    In the KMS Key OCID, enter OCID from your Vault Key.

    In the KMS Service Crypto Endpoint, enter the endpoint from the Vault.

    Choose your Availability Domain, Instance Shape (OCPUs), Storage Size, the SSH Public Key you generated earlier, the Essbase Admin username, and, finally, the Encrypted EssbaseAdmin (from the oci command line) password.

    Go to your IDCS console and copy your idcs-xxxxxx name from the URL bar.

    In the IDCS Instance GUID, enter the idcs-xxx name you just copied.

    In the IDCS Application Client ID, enter the Essbase Application ID from from your text editor.

    You will need to run your Client Secret through the oci encryption tool and paste the encrypted value into the IDCS Application Client Secret, as well.

    Unless you have existing infrastructure pieces, you don’t need to change anything. Additionally, you can add a Load Balancer here or a private subnet.

    Under Database Configuration, enter a database admin password, encrypted using the same OCI command line process.

  11. After you click “Create”, the Terraform script will start running to build all the instances.

    After around 20 minutes, your instance will be created.

  12. If you click on the “Outputs” tab, you will see your URL and other pieces of info needed to re-enter the URLs on the Essbase Application page on the IDCS Console.
  13. Via the IDCS Console, add the URLs.
  14. If we go back to the Stacks page, we can access our Essbase environment.
  15. You’ll want to add any additional users and/or groups via the Security tab. They will also need to be added to the appropriate cubes, once load.


  1. Sarah, This is very good. Just a question, you say to paste in your client secret from your notepad, but I believe you have to run it though the cli encryption before you paste it in.

  2. You might also want to put in a disclaimer about the Policies you are using. I have been told, you should explicitly list the policies and not give all access (At least for production environments) . The documentation lists all of the policies you should need

    1. Yeah, I hear you. I’m going to keep it as is because I already called out at the top that this is a basic installation without the normal customer considerations of networking, load balancing, etc. Just wanted to give people an idea of what the setup entails.

  3. Hi Sarah, this is great however the first screenshots 003, 004, 005 are confusing, are they coming from the same OCI version (smell like Gen1)?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s