Encrypting MaxL Security


June 17th, 2014

Clients are becoming increasingly concerned with security within their Hyperion environment, and rightly so. Having administrator credentials hard-coded into our scripts is not a real secure solution. The real solution is to encrypt the administrator credentials using public and private keys within a Windows environment. NOTE that this approach written and tested using a Windows 2008 R2 Standard Server.


Steps to Encryption

Step 1: Initiate a remote desktop connection onto the Essbase server.

Your MaxL scripts don’t necessarily have to reside on the Essbase server, but the MaxL shell does need to be properly configured so that you can access the Essbase shell by typing ‘startmaxl into the command prompt from any directory.

Step 2: Open a command prompt window, and type…

startmaxl –gk


This command creates the Public and Private keys that you will be using. The Public key is used to encrypt your scripts, while the Private key is used to decrypt your script prior to runtime.

Step 3: Open a blank notepad document and record both of these keys, as you will be using them several times…

Public Key: 21157,1723372087

Private Key: 1186517533,1723372087

With an un-encrypted script, the admin credentials can be entered into the MaxL script file itself, or passed into the script from the DOS batch file via instance variables…

In MaxL File:

login admin password on aphrodite;

Passed to MaxL File from DOS batch:

startmaxl script_to_be_run.mxl admin password aphrodite

login  $1 $2 on $3;

For the encryption to work, the admin credentials must be in the MaxL file itself, and not passed in as instance variables.

For simplicity, navigate to the directory where your MaxL script resides, (C:\TopDown\Essbase) in this example.

Issue the following command…

startmaxl –E script_to_be_encrypted.mxl 21157,1723372087

Where 21157,1723372087 is the Public key you created previously.


Issuing this command creates a copy of your MaxL script and adds an ‘s’ to the file’s extension. You can use .msh, .mxl, or even .txt for your scripts. After encryption, these will be .mshs, mxls, or .txts respectively. The new file will be created in the same directory as its original.


If you open the new script that was just created, you can see what has changed…


Notice the username and password are no longer visible.

Now you can test your newly created, encrypted script. Issue this command…

startmaxl –D script_to_be_encrypted.mxls 1186517533,1723372087

Where 1186517533,1723372087 is your Private key.



If your script executes, delete the original MaxL file, empty the trash, and you’re done!

Repeat for all of your MaxL scripts using the same Public and Private key pair.


About TopDown Team

The TopDown Team includes members of TopDown Consulting who want to let the community know about webcasts, conferences, and other events. The team also conducts interviews on various EPM industry topics.

2 comments on “Encrypting MaxL Security”

  1. kelsey says:

    i have a 64 bit win 7 machine

    what software do i need to run maxl scripts

    1. Hi Kelsey,

      You need to have the Essbase Client installed on your machine, this includes an executable shell program called startmaxl.cmd. You should contact your system administrator to get access to the install files.


Leave a Reply

Your email address will not be published. Required fields are marked *