Peoplesoft Downtime Notification in Header

  Often we recycle Non prod server or even prod server during business hours. ideally we send email to users but not all the time users will see email as they continue to work in PeopleSoft. so thought there should be a interactive way to notify the users about downtime or maintenance etc.

Peopelsoft provides push notification but it does not give the option to broadcast for performance reasons.

Here is the simple approach to broadcast any message. for example i need to shutdown one of my production server at specific time so now i am going to push this message

1. Navigate to Peopletools - Portal - Branding - Define Branding Headers and Footers

2.Bring up your header in this case fluid.

3.Navigate to company info and click on additional options

4.Enable Company banner area.

5.Add below marquee text so that it will scroll at the top and its eye catchy users can read and save their work.

<marquee direction="left" height="20px" width="100%"> System Will Go down in 10 minutes for Maintenance.We will be back @ 12 PM EST. Sorry for the inconvenience. </marquee>

Output/Result.

System Will Go down in 10 minutes for Maintenance. We will be back @ 12 PM EST. Sorry for the inconvenience.

 

Beauty of this approach is no cache clear is required . PeopleSoft brilliantly uses rowset cache method for company info which works well.

How to Disable TLS1.0/1.1 in Peoplesoft

Recent times all the organization had started disabling the tls 1.0/1.1 protocol across thirer network.

here is the extensive list on various places you need to disable in peoplesoft component.

1. Webserver - Under setenv append below parameter.

 

SET JAVA_OPTIONS_WINXX=-server -Xms512m -Xmx512m -XX:MaxPermSize=128m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2

 

2. Appserver/Prcs Server - under psappsrv.cfg & psprcs.cfg file append below parameter.

 

JavaVM Options=-Dxdo.ConfigFile=%PS_HOME%/appserv/xdo.cfg -Xms32m -Xmx128m -Dhttps.protocols=TLSv1.2

 

3. Elastic Search- Update below in $JAVA_HOME/lib/security/java.security (Doc ID 2470444.1)

 

jdk.tls.disabledAlgorithms=SSLv3, TLSv1.0,TLSv1.1, RC4, MD5withRSA, DH keySize < 1024, EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC

 

4. Ren Server - Update psrenconfig.txt with below values. (Doc ID 2536363.1))

 

# Restrict the REN server to a particular version or versions of SSL

# allowed values are tlsv1, tlsv1_1, tlsv1_2

ns_param ServerProtocols tls1_2

ns_param SockServerProtocols tls1_2

ns_param SockClientProtocols tls1_2

 

5. LDAP - For peopletools 8.54.20 or above its already TLS1.2 is enabled by default.

 

final String protocol = vendor.toLowerCase().contains("ibm") ? "SSL_TLSv2" : "TLSv1.2";

final SSLContext sslcontext = SSLContext.getInstance(protocol);

 

6. SES - Update below.

 

In <mw_home>/user_projects/domains/search_domain/bin/setDomainEnv.sh, set:

JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2"

 

Testing:

1. Webserver - Disable TLS 1.0/TLS1.1 in browser and try accessing your PIA site or if your site is accessible in chrome it is enforced to TLSv1.2. Chrome disable TLS1.0/1.1 long back.

2. App Server - If you use https gateway try loading it . it should succesully load the connectors.

    Prcs  Server  - In case if your report node is configured to use https protocol. then try running sample report and this should succesfully post your report to web server.

3. ES Server - Here we are just disabling as far as ES ping succesful then you are good.

4. Ren Server - Follow point #1 to run the ren server reports in browser.

5. LDAP -Try pinging LDAP configure directory.

6. SES - Follow Point #3.

Peoplesoft Kerberos SSO Extended Logging

Kerberos is moving away from peoplesoft as of PT 8.57. Until 8.56 Oracle used to deliver the SDK and later on they removed the SDK from Tools package.

Surprisingly oracle does delivers the source code for customers to make use of this and use kerberos as an SSO.

You can find the sorce code from below location

$PS_HOME/sdk/desktopsso/src/com/peoplesoft/pt/desktopsso/kerberos

KerberosSSOFilter.java  ===> Will be used in webserver for requesting token.
KerberosSSOValidator.java ===> Will be used for app server validation.


Kerberos is a such a nice and strong SSO solution so i would keep using SSO but it does lacking the logging feature.

Means if there is any issue you cannot simply troubleshoot as error message just says below


 <BEA-000000> <KerberosSSOFilter: Received invalid token.>

Error seems to be generic. So i thought we can add few more logging capability in java class and recompile it.

Add below line of code right after line #142.

142             catch (GSSException e) {
143                 this.verbPrint("Received invalid token.");
144                 this.verbPrint(e.getMajorString());
145                 this.verbPrint(e.getMinorString());
146                 this.verbPrint(e.getMessage());
147                 this.verbPrint(e.toString());
148                 System.out.println("Major Code: " + String.valueOf(e.getMajor()));
149                 System.out.println("Minor Code: " + String.valueOf(e.getMinor()));

Try compiling it using JDK (please do not use JRE)

$PS_CFG_HOME/webserv/<domain_name>/bin/. ./setEnv.sh

export CLASSPATH=$CLASSPATH:$PC_CFG_HOME/webserv/<domain_name>/applications/peoplesoft/PORTAL.war/WEB-INF/classes

$JDK_HOME/javac KerberosSSOFilter.java 

In case if you get below error while compiling.

KerberosSSOFilter.java:324: error: getHeaderNames() in KerberosSSOFilter.KerberosAuthWrapper cannot implement getHeaderNames() in HttpServletRequest public Enumeration getHeaderNames() { ^ return type Enumeration is not compatible with Enumeration

Please get the line # and change the ? with string like below.

180         @Override

181         public Enumeration<String> getHeaders(final String name) {

182             if (name.equals("KRB_USER")) {

183                 final Vector<String> values = new Vector<String>();

184                 values.add(this.principalName);

185                 return values.elements();

186             }

187             final HttpServletRequest req = (HttpServletRequest)this.getRequest();

188             return req.getHeaders(name);

Now the actual error message will be logeed in your PIA_stdout.log along with received invalid token.

<BEA-000000> <KerberosSSOFilter: Received invalid token.>

<BEA-000000> <KerberosSSOFilter: Failure unspecified at GSS-API level>

<BEA-000000> <KerberosSSOFilter: Invalid argument (400) - Cannot find key of appropriate type to decrypt

 AP REP - AES256 CTS mode with HMAC SHA1-96>

<BEA-000000> <KerberosSSOFilter: Failure unspecified at GSS-API level (Mechanism level: Invalid argument

 (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)>

<BEA-000000> <KerberosSSOFilter: GSSException: Failure unspecified at GSS-API level (Mechanism level: In

valid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)>

<BEA-000000> <Major Code: 11>

<BEA-000000> <Minor Code: -1>

You can pass on this error message to respective team who is responsible for generating keytab.

User Profile Emulation in PeopleSoft

We used to simulate the user issue in non prod by changing the password for respective username and login to replicate the issue.Its always a security concern and there is no track of it.

I have seen other ERP application does gives this emulate  as different user functionality without touching their security. But peoplesoft does not give such feature for user emulation.

i have created an Idea in oracle community to get this future in peopletools. hope this will be accommodated in future release. Please do vote .

https://community.oracle.com/ideas/23725

In the interim i came up with below idea.with this approach you do not need to change end user password and also it keeps the track of individual user who is emulating as other user.

So below blog will explain you on how you will emulate as different user.

1. Create new site called simulate in existing weblogic domain.

for example : 

Existing Site Name : PSDEV

New Site Name  : SIMULATE

2. Add below html in your original site signin.html. (PSDEV)

<a href="https://velu.peoplesoft.com/psp/simulate/?cmd=login">Impersonate User</a>

3. Add below html in your new site signin.html (SIMULATE)

<div>

               <span class="ps_label-show" id="ptLabelUserid"><label for="imuserid"><%=1333%></label></span>

             </div>

             <div class="ps_box-control">

               <input type="text" id="imuserid" name="imuserid" value="<%=IMUSERID%>" title="<%=1333%>">

           </div>

4. Open your FUNCLIB_LDAP record and goto LDAPAUTH field peoplecode.

Create new function called IMPERSONATE as below.

Function impersonate();

   &signonusername = %SignonUserId;

   &userName = %Request.GetParameter("IMUSERID");

   &ipaddress = %Request.GetHeader("X-FORWARDED-FOR");

   SQLExec("select roleuser from psroleuser where rolename='PeopleSoft Administrator' and roleuser=:1", &signonusername, &roleuser);

   If &userName = "" Then

      SetAuthenticationResult( True, Upper(&signonusername), "", False);

   Else

      If &roleuser = "" Or

            &userName = "PSADMIN" Or

            &userName = "PSAPPS" Or

            &userName = "PTWEBSERVER" Then

         SetAuthenticationResult( False, &userID, "You are not authorized to do Impersonation");

      Else

         SQLExec("INSERT INTO PS_IMPERSONATE VALUES (:1,:2,:3,:4)", &signonusername, &userName, &ipaddress, %Datetime);

         SetAuthenticationResult( True, Upper(&userName), "", False);

      End-If;

   End-If;

   

End-Function;

5. Create a new record with below field to keep a track of who is logging in.

Make sure you build the record

6.Add LDAP_AUTH peoplecode in signon peoplecode as below.

Bounce your app server by clearing cache.

Tetsing:

1. Open your exiting PIA. You will see a Hyperlink called Impersonate User.

2. Click on impersonate user. It will take you to your newly created SITE called simulate.

Now provide your username/password and the username you want to login as.(in Impersonate user as)

You can see it logged in as user id which you put in.

3.You can query the table select * from PS_IMPERSONATE to check if the values are captured. this will help you for audit purpose.

Points to note:

1. I have hardcoded Peoplesoft Administrator role in peoplcode. So if you any user want to use this functionality they should have Peoplesoft Administrator Role else it will throw below error.

2. Also you may need to use peoplesoft password to login , if you use LDAP password it may fail. I will update the post once i enhance my peoplecode to make it work with LDAP password

Peopletools 8.56.18

DB 12C

NOTE: I would recommend only to use it in NON-PROD .. never move this code to production .

I just did this as for learning purpose. Implement this on your sole responsibility.

Weblogic Console password reset

I have tried so many ways and concluded that  We don’t have any procedure to override the existing console password. So, in this blog w

Find Menu Navigation in Peoplesoft

Below are few ways to find Menu Navigation

1. SQL to find Menu navigation.

SELECT A.PORTAL_LABEL || ' --> ' || B.PORTAL_LABEL || ' --> '  || C.PORTAL_LABEL || ' --> '  ||  D.PORTAL_LABEL Navigation FROM PSPRSMDEFN D, PSPRSMDEFN C, PSPRSMDEFN B

, PSPRSMDEFN A WHERE D.PORTAL_PRNTOBJNAME = C.PORTAL_OBJNAME AND C.PORTAL_PRNTOBJNAME = B.PORTAL_OBJNAME AND B.PORTAL_PRNTOBJNAME = A.PORTAL_OBJNAME AND D.PORTAL_NAME = C.PORTAL_NAME AND C.PORTAL_NAME = B.PORTAL_NAME AND B.PORTAL_NAME = A.PORTAL_NAME

AND D.PORTAL_URI_SEG2 = <provide Component name>;

2. Use enterprise component to find object navigation as below. Navigate Menu --> Enterprise Components --> Find Object Navigation..

Also you can refer below doc .

E-PORTAL: How To Determine The Navigation Path Of A Content Reference (Doc ID 637615.1)

PeopleSoft Fluid Approval Form Instruction Page -Rich Text Editor

In classic Approval page form builder we do see an option for Rich Text editing as below. But when you look at the fluid page RTE is not enabled . This is due to the limitation of FLUID page as it does not support RTE (E-FLUID : Is RTE(Rich Text Editor) Field Supported In Fluid Pages ? (Doc ID 2108005.1)

So as a workaround you can try to embed HTML tag as shown below in FLUID form builder instructions page.

 

i have simple html tag as shown below . It works well.

You can also try in HTML editor and simply copy paste with HTML tags.

Concurrent Users in Peoplesoft

This article is all about counting number of concurrent users connected to People soft.

We all know each and every login will make an entry in PSACCESSLOG table with Login & Logout Date and Time.But its not that accurate , because when the user closed the session without signing out then logout time will never be captured.

So to over come this issue I got an idea to get the session details from Web server as this will give you the live data.

Step:1 Create the script called Session.py as mentioned below

#File Name : 'Session.py'

# Author : Velu

import sys

import datetime

now = datetime.datetime.now()

filecsv = open("$PS_HOME/webserv/psofthr/applications/peoplesoft/PORTAL.war/session.csv", "a")

file = open("$PS_HOME/webserv/psofthr/applications/peoplesoft/PORTAL.war/session.log", "a")

print >>file, "Current date and time:",now.strftime("%Y-%m-%d %H:%M")

connect('system','Password1!','t3://WEBSERVERHOST:PORT')

serverRuntime()

cd ('ApplicationRuntimes/peoplesoft/ComponentRuntimes/PIA_')

currentsession1= get('OpenSessionsCurrentCount')

print >>file, "=========================================="

print >>file, "Number of session in Peoplesoft Webserver  :" ,currentsession1

Step:2 Create a script called sessionmonitor.ksh as mentioned below.

#File Name :'sessionmonitor.ksh'

#Author : Velu

#!/bin/ksh

cd $WL_HOME/oracle_common/common/bin

./config.sh

cd $WL_HOME/oracle_common/common/bin

./wlst.sh /global/site/vendor/psofthr/scripts/sessionmonitor.py

Step 3: Schedule a sessionmonitor.ksh for every 5 minutes in cron .

Step 4: Now access the below URL to get the live data.

       http:/webserverhost:port/session.log

Step 5: As we are generating the output in CSV format as well ,so you can get the graphical way to get the concurrent users. I used Qlik sense tool and this tool will accept http url and here is the snapshot.

http://webserverhost:port/session.csv

Appendix:

  You can also get more information from WLST . if you would like to get the user details follow the below command.

Hope this helps!!!!

Please comment for any issue/Questions.

PeopleSoft Elastic Search Installation

This video demonstrates the Elastic Search installation DPK for PeopleSoft. Below is the environment details.

People tools 8.55.11

HCM 9.2 Image 19

Tuxedo 12.1.3 Patch 040

Weblogic 12.1.3

Oracle Database 12.1.0.2

Thanks for Watching.

Please comment for any issues.

Process Scheduler

PeopleSoft process scheduler is one of the most critical part in batch scheduling. Because most of the critical job is running under Batch server.

Pretty enough to say about Batch server,Now this post is all about how good Peoplesoft security is in place to post the reports.

We all know after the process went to success reports will get posted to report repository, so we know how the process are picked up and processed in sequential manner.

Let me give small heads up , whenever you run the process from front end ,Application server will issue a request and hence 3 process scheduler tables will get updated, Every 10 seconds Batch server will check for these 3 core tables and if it finds the new request then it will start processing the request, once it finishes this will generate the report output in LOG_OUPUT directory.

Now How reports are getting posted ?

  Here is the weak security we are providing (if in case if you select http protocol) to most critical report repository.

Do you know how?

1.once PSAESRV server completes the request and generates the report in LOG_OUTPUT directory.

2.PSDSTSRV server will pick the report and ready to transfer the report in report repository which is present in webserver machine.

  So here is the question what authentication we are giving to put the report in webserver machine report repository?
if you see the below snapshot we are just giving the server name ,port number and the site name.

Authentication field is empty, but still reports are posted.How?

   The answer is we are not providing any authentication.

So how webserver machine will allow the reports to place in repository?

Behind the scenes SCHEDULER TRANSFER servlet which is running in webserver machine (its a java api servlet ) and its open to all.

PSDSTSRV server will pick the report and it will contact SCHEDULER TRANSFER servlet in clear text and without authentication , because already servlet is opened for all clients.

So once the PSDSTSRV server sends the report , SCHEDULER TRANSFER (running in webserver) will recieve the report and place the reports under report repository folder.

This is why Oracle is recommending to provide full access to report repository folder for the user who is starting WEBSERVER .


   So Peoplesoft has not provided the security ?

The answer is no Peoplesoft is recommending to go for HTTPS/FTP,XCOPY protocol instead of HTTP, Because in HTTP protocol Scheduler Transfer will allow all the incoming reports.

You can also develop a java code to contact Scheduler transfer and post or retrieve the reports because it is open to all the clients.

But if you are using HTTPS protocol there will be a certificate installed in both Process scheduler and Webserver , so all the incoming connection will come with digital certificate and it should match with certificate placed in Webserver (i.e.,Scheduler Transfer). So no one except PSDSTSRV with valid certificate cannot place the reports in Report repository folder.


So are you using HTTP protocol in production environment, this is the risk involved and change it back to HTTPS protocol.

Cheers!!!!!!

Peoplesoft Encryption

This Article explains about Peoplesoft Encryption technology.

Before explaining , let me discuss about some terms related to Encryption.

One Way Encryption/Decryption: - Means once you encrypt any password , you can never be decrypted (Even Oracle/Peoplesoft cannot do this)

Two Way Encryption/Decryption: - Means you can decrypt the encrypted password when it is really required.

Peoplesoft is really Chosen the best technology for thier own security .Now i will explain the technology used by peoplesoft in our login process. As this is most important part, hope you will enjoy it!!!!!

Encryption 1: SHA 1algorithm

  If you look at the OPERPSWD field in PSOPRDEFN table, it will be in encrypted format and this is using SHA 1 which is one way encryption technology which can never be decrypted.

So here is the question why peoplesoft chose one way?

    The secret behind this is, whenever the login process happens the password you provided can again encrypt using the same technology and compare against your PSOPRDEFN table. So no one can decrypt the password, as this is the most important security table.

And if you look at the encrypted field in PSOPRDEFN table there will be 1/0.

Why we need this?

Suppose you are updating the password from backend, then you should update the encrypted field as zero. If not ENCRYPT_PASSWORD function will consider this password is already encrypted.

So simply ENCRYPT_PASSWORD will check the encrypted field , if it is zero it will encrypt otherwise vice versa.

So use this function only to encrypt psoprdefn table encryption

Encryption 2: - 3 DES Algorithm.

  This algorithm is purely developed by peoplesoft in 2 way communication, which means you can decrypt the password to clear text.

So why we need to decrypt and why different algorithm?

If you look at the above snapshot both access id and access password is encrypted. So in my previous post i said ultimately PeopleSoft will login with Access id/Password. So oracle never understand the encrypted format. we need to store ACCESS ID/PWD in encrypted format as well as at the run time we need to decrypt it. So it will login to oracle database with clear text. Thats why we are using 2 way algorithm

If you look at the snippet in the trace(highlighted in red) you will find the SYSADM user , so here we can prove that decryption is happening.

 1-14     21.08.47    0.014000 Cur#0.1072.notSamTran RC=0 Dur=0.014000 Destroy Connection Handle=0000000002A80C50
 1-15     21.08.47    0.043000 Cur#0.1072.FSCMD92 RC=0 Dur=0.043000 Create Connection Info=Primary/FSCMD92/SYSADM/ Handle=0000000002A80C50

Peoplesoft embeds both encrypt/decrypt in thier tools like APP-D, Data Mover ..etc.

Thats why we don't need to exclusively run any command like ENCRYPT_PASSWORD as we did in above algorithm.

Hint:Just update the password in PSACCESSPRFL make encrypted as zero then try to login via APP-D or Data mover, Peoplesoft will automatically encrypts and updates the encrypted field as 1.


Encryption 3:- Java based encryption.

This encryption is bit different, and this will happen only at the web server level. If we need to boot webserver,then PTWEBSERVER credentials is mandatory. But Peoplesoft never stores any password in clear text any where. So it should be encrypted with some algorithm and decrypt using the same. So they decided to use java based.

But why we need java based ?

So here is the reason behind it, peoplesoft does not have its own weblogic server , so we need to use Oracle Weblogic and this is java based  and it never understands 3DES algorithm which is developed by peoplesoft(2 way communication) also we cannot use SHA1, because it is one way communication. So they have written a java based encryption so that it will be in encrypted format and at the run time it will decrypt using decrypt function.

So we used to use pscipher.bat utility to encrypt the password

Can we decrypt any one of the above password ?

 Encryption 1:- No ..As i said earlier if encryption is 1 way even Oracle/Peoplesoft does not have decrypt function. So you can't, only try you can give is brute force attack.

Encryption 2: - Yes , Our Application designer and datamover is designed in C++ code, so if get the source code for the app-d or data mover , we can find the decrypt function and hit that function. Its not that easy.

Encryption 3:- Yes - This is a java based utility you can open the pscipher.bat

and get the java class as stated above names as PSCIPHER and  decompile it and take a look, you will find a decrypt function. So pscipher.bat file is calling only encrypt function in java class, you can try and call decrypt function then you can made psdecipher.bat file (if you are java expert).

Now you are done!!!!

Happy to help!!!!!!