Wednesday, July 22, 2020

Peoplesoft Kerberos SSO Extended Logging

Kerberos is moving away from peoplesoft as of PT 8.57. Until 8.56 Oracle used to deliver the SDK and later on they removed the SDK from Tools package.

Surprisingly oracle does delivers the source code for customers to make use of this and use kerberos as an SSO.

You can find the sorce code from below location

$PS_HOME/sdk/desktopsso/src/com/peoplesoft/pt/desktopsso/kerberos

KerberosSSOFilter.java  ===> Will be used in webserver for requesting token.
KerberosSSOValidator.java ===> Will be used for app server validation.


Kerberos is a such a nice and strong SSO solution so i would keep using SSO but it does lacking the logging feature.

Means if there is any issue you cannot simply troubleshoot as error message just says below


 <BEA-000000> <KerberosSSOFilter: Received invalid token.>

Error seems to be generic. So i thought we can add few more logging capability in java class and recompile it.

Add below line of code right after line #142.

142             catch (GSSException e) {
143                 this.verbPrint("Received invalid token.");
144                 this.verbPrint(e.getMajorString());
145                 this.verbPrint(e.getMinorString());
146                 this.verbPrint(e.getMessage());
147                 this.verbPrint(e.toString());
148                 System.out.println("Major Code: " + String.valueOf(e.getMajor()));
149                 System.out.println("Minor Code: " + String.valueOf(e.getMinor()));


Try compiling it using JDK (please do not use JRE)

$PS_CFG_HOME/webserv/<domain_name>/bin/. ./setEnv.sh
export CLASSPATH=$CLASSPATH:$PC_CFG_HOME/webserv/<domain_name>/applications/peoplesoft/PORTAL.war/WEB-INF/classes
$JDK_HOME/javac KerberosSSOFilter.java 


In case if you get below error while compiling.

KerberosSSOFilter.java:324: error: getHeaderNames() in KerberosSSOFilter.KerberosAuthWrapper cannot implement getHeaderNames() in HttpServletRequest public Enumeration getHeaderNames() { ^ return type Enumeration is not compatible with Enumeration

Please get the line # and change the ? with string like below.


180         @Override
181         public Enumeration<String> getHeaders(final String name) {
182             if (name.equals("KRB_USER")) {
183                 final Vector<String> values = new Vector<String>();
184                 values.add(this.principalName);
185                 return values.elements();
186             }
187             final HttpServletRequest req = (HttpServletRequest)this.getRequest();
188             return req.getHeaders(name);


Now the actual error message will be logeed in your PIA_stdout.log along with received invalid token.

<BEA-000000> <KerberosSSOFilter: Received invalid token.>
<BEA-000000> <KerberosSSOFilter: Failure unspecified at GSS-API level>
<BEA-000000> <KerberosSSOFilter: Invalid argument (400) - Cannot find key of appropriate type to decrypt
 AP REP - AES256 CTS mode with HMAC SHA1-96>
<BEA-000000> <KerberosSSOFilter: Failure unspecified at GSS-API level (Mechanism level: Invalid argument
 (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)>
<BEA-000000> <KerberosSSOFilter: GSSException: Failure unspecified at GSS-API level (Mechanism level: In
valid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)>
<BEA-000000> <Major Code: 11>
<BEA-000000> <Minor Code: -1>


You can pass on this error message to respective team who is responsible for generating keytab.





Peoplesoft Downtime Notification in Header

  Often we recycle Non prod server or even prod server during business hours. ideally we send email to users but not all the time users will...