I changed sessions at the last minute yesterday and ducked into Todd Sheetz's (AKA Cheesehead DBA) session on using Oracle Enterprise Manager with PeopleSoft. Todd is with Veolia Environmental Services in Wisconsin, and is also active with the IOUG. As I walked in Todd was already deep into how to get things installed and properly configured.

One key takeaway from this for people that are wanting to get started is that you need to have Grid Control already installed and configured before doing anything with the PeopleSoft plugin. Makes sense.

Todd also went through some of the security configuration and potential challenges. Due to the nature of Enterprise Manager actually, you know, managing things, it needs to have a fair amount of access (it needs access to PSHOME, Another part of the configuration is running a discovery defining
the Grid Control Management Agent, etc.). Nothing out of the ordinary, but depending how your organization is structured, you may need to coordinate this with a few different people).

One other good tip that Todd had for setup was to figure out the GUIDs for your environments up front. Todd had a pointer to David Kurtz's blog for the details on how PeopleSoft generates a globally unique identifier (GUID) for each instance. However, if you allow a GUID to be regenerated for an environment when cloning instances (which is a common practice), then the PeopleSoft plugin for Enterprise Manager does not recognize that the GUID has been changed. By generating your GUIDs upfront and keeping track of them, you can restore the proper GUID when you (for example) refresh a test database from production.

Once the plugin has been installed and is up and running on the different hosts that are running PeopleSoft, then you go online and have it discover what PeopleSoft environments that you have up and running. There was some discussion here about possible issues when you have multiple PeopleSoft environments installed on a single host, but using different accounts for them (e.g. a locked down production or production support environment along with other dev/test environments). Todd recommended running the discovery process once for each PeopleSoft environment to help alleviate this issue.

You can define a single PeopleSoft "system" to include all web servers, app servers, process schedulers, and database, but Todd mentioned that he likes to define the database separately so that when you do things like blackout the system he can manage the database blackouts separate from the appserver blackouts. We ended up having some group discussion at the podium afterwards about managing blackouts - one takeaway for me is to investigate integrating the work that we (Grey Sparling) have already done in this area for PeopleSoft with the Enterprise Manager PeopleSoft plugin.

Todd also did some live demos of their production instance of Enterprise Manager. Everything was green (which was good, else Todd might have had to demo how to fix a problem in front of everyone :-). He showed some of the different graphs and charts available, as well as how to define your own.

Labels: 2009, OpenWorld, Sysadmin

I've recently been using Vista a lot more as a client machine lately (I know - just in time for Windows 7 to come out I finally start using Vista on a regular basis :-) I hit an interesting problem when running an older version of PeopleTools on Vista though. Resolving the issue ended up using some of the techniques that we have shown in our "Troubleshooting PeopleSoft" presentations, so I figured it would be a good blog entry.

We're connecting to a PeopleTools 8.46 environment running SQL Server. PeopleTools is being run from a network server.


So far, so good. Putting in a password and clicking OK triggers the invalid user/password dialog.

I know that I have a valid access ID and password entered via Configuration Manager. Let's check out our ODBC data source info in Control Panel to be sure that we defined that properly.






That looks good. We've verified database connectivity, but we get kicked out very early in the login process for PeopleTools. I've skipped showing it here, but if you run a SQL trace for PeopleTools right now, you'll see that the error message is correct; it's the initial login to the database that PeopleTools is attempting that is failing.

At this point I fired up Process Monitor to see what was happening. Process Monitor is one of suite of freely available tools from Microsoft that can provide some good low level info about what is happening on Windows. It's not the same Process Monitor that is part of the PeopleSoft Process Scheduler.

After closing Application Designer, I launched Process Monitor, then restarted Application Designer and tried to login. As soon as I got the login error, I switched back to Process Monitor and had it stop capturing activity.



Stopping the capture is important because Process Monitor captures large volumes of detail. If you look at the bottom left of the screenshot above, you'll see that in just the amount of time it took me to try logging in to PeopleSoft, Process Monitor captured over 300,000 different events.



Thankfully Process Monitor has a very cool filter feature. Here we've told Process Monitor to filter the events captured by process name so that we can just see what is happening with pside.exe, and not all of the background processes that are running in Vista.



Filtering just the pside.exe activity still left us with over 8000 events to go through, so we need to do some more filtering. We're suspicious of the database connectivity, and those ODBC entries are stored in the registry, so in the screenshot above we have filtered by operation and limited it to operations starting with "Reg" so that we pick up the registry activity that pside.exe is doing.



That still leaves us with over 1800 events though. That's quite a bit of registry activity being done by Application Designer! Since we were trying to connect to the HCM89 database, we'll do a little bit more filtering. For events like registry and file system access, Process Monitor lets you filter by path as well.

By limiting the registry access events to only include cases where the path references HCM89, we've gotten our original 300,000 events down to just 73. We can see several NAME NOT FOUND errors in reference to ODBC entries for HCM89, so we may be on to something.

A closer examination of those and we discover that PeopleTools tries reading the ODBC entries from HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI\HCM89, and then when that fails it is trying to read from HKEY_LOCAL_MACHINE\Wow6432Node\SOFTWARE\ODBC\ODBC.INI\HCM89.

What is Wow6432Node? Microsoft's Knowledge Base has a document on this. The purpose of this is to keep 32 bit programs and 64 bit programs to keep from stepping on each other.

Did I forget to mention that I'm running 64 bit Vista? (sneaky users - never tell the support people key info until after the fact :-)

A quick check with regedit to see what values are actually in the registry reveals that the ODBC entries that were created with the Control Panel applet are in the registry in HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\HCM89, and there are no entries in HKEY_LOCAL_MACHINE\Wow6432Node\SOFTWARE\ODBC\ODBC.INI\HCM89.

So I copied the HCM89 entries into the correct Wow6432Node, then launched Application Designer.


Bingo!

The next step from here would be to investigate how to make this work without requiring manual registry edits, but that will have to wait for another blog post.

Labels: 2009, Support, Sysadmin, Vista, Windows

We wrote awhile ago about how to enforce password protected screensavers in Windows. Password protected screensavers that automatically kick in are nice because they secure the users' desktop when they walk away, which protects their email, local documents, etc. in addition to their PeopleSoft sessions. Lots of customers that use our Desktop Single Signon for PeopleSoft product have implemented this.

In some cases though, locking the current session isn't the desired behavior. In kiosk environments or other types of shared workstations, you want someone else to be able to login, so having the workstation locked to the last user isn't good.

It turns out that Microsoft has a screensaver, winexit.scr, that will log the user out when the screensaver activates. The screensaver is part of the Windows Resource Kits; here's the download for the Windows Server 2003/Windows XP Resource Kit. There are lots of writeups out there about using winexit.scr, but the best one that I found was from David Carlin at Case Western Reserve University. His blog post describes his experience implementing this at one of the computer labs there.

There is at least one commercial product out there (ActiveExit XP) that handles similar requirements, although we don't have any experience with it.

Labels: 2009, Security, Sysadmin, Windows

I had a question the other day about getting going with PeopleSoft Performance Monitor so I thought I'd post a quick roundup/summary of the various material out there.

For those that don't know, Performance Monitor is included with PeopleTools since PeopleTools 8.44. There's a little bit to learn on setting it up / understanding it, but it's a great tool and well worth learning.

Documentation.

You'll certainly want to have the Performance Monitor PeopleBook handy while going through setting up Performance Monitor.

Presentations.

Back in April Oracle had an Oracle Advisor webcast on the setup and configuration of Performance Monitor. Here is the recording of that (Customer Connection/Metalink/My Oracle Support login required).

Lorne Kaufman of System Efficiency gave a great session at Collaborate this year about setting up Performance Monitor. Unfortunately, I can't seem to find a link to the actual presentation anywhere. We'll have to hassle Lorne about that.

David Kurtz of Go-Faster Consultancy has a nice selection of Performance Monitor presentations on his website. He also has a few different blog entries with tips and techniques on Performance Monitor. Those include some performance tuning tips for Performance Monitor itself which he figured out by having Performance Monitor monitor itself :-) He also mentions some issues that they had in a large scale environment where Performance Monitor was handling 20-30 million rows of history data each week! Good stuff.

Performance Monitor enhancements.

Brent Martin of ERP Associates has a writeup on their blog about how to get Performance Monitor to send emails when certain conditions are triggered.

Performance Monitor incidents

Here are some quick searches for Performance Monitor incidents by PeopleTools release.

• 8.49
• 8.48
• 8.47
• 8.46

Labels: 2009, Performance, Sysadmin

I helped some folks the other day with an issue that had the potential to be very serious for them; exposure of production data without someone needing to login to the production system. Not good.

The Problem

For testing purposes they have copies of their production PeopleSoft databases; one for Financials and one for HCM. These copies are refreshed regularly and there are scripts run against them to handle some cleaning/sanitizing of the production data, so that the database can be used for testing.

They have some people that they allow to login to these test environments with any account so that they can confirm the results of basic processes. The accounts don't have default passwords, so this access was limited to the people that they authorized to do testing, but testers with access to these cloned environments could login as anyone.

One of the testers (we'll call him Fred) was logged in to the Financials test environment as some other user (we'll call her Sally) to test some process that would normally be initiated by Sally in the production system.

While doing this testing, Fred wanted to enter his timesheet data so he clicked on a link to go to the production HCM system for time entry. Much to his surprise, he was logged in to HCM as Sally! So Fred goes back to the test Financials environment, logs in as a different user, clicks the link into production HCM and sure enough he is logged in as that user in production HCM. To Fred's credit, Fred alerted the PeopleSoft support team there instead of snooping around in HCM.

How did that happen?

The problem comes from the fact that the production environments were configured to trust each other for PeopleSoft Single Signon, but the node names and node passwords were not changed as part of the environment cloning logic.

So when Fred signed on to the cloned Financials environment, the PS_TOKEN cookies generated are identical to what the production environment would generate (the details of PS_TOKEN cookie are documented in PeopleBooks, but the node name and node password are the important pieces here).

How could this be prevented?

There are several different ways of preventing this from happening. Let's take the pragmatic ones first.

1) Change the node password as part of the refresh script.

This is the easiest, most expedient thing to do. It is the absolute minimum way to solve this problem.

Although this solves the security problem, it introduces a headache for security auditors because the app server logs in the production environment will be full of warnings about failed logins from bad node passwords. That means that testers accessing production while logged in to the test environment will be indistinguishable from someone trying to break in by generating their own PS_TOKEN cookies.

It's not nice to annoy your security auditors by purposely creating log entries that look like break-in attempts, but are actually OK :-)

2) Change the node name.

Changing the node name when you clone environments will also solve the problem (because then the production environments will no longer trust the cloned nodes since they don't recognize the new names). This also solves the log problem mentioned in the previous item.

Changing the node name can have an impact on Integration Broker testing, but that just means that your integration test scripts need to be aware of this. Not a huge drawback in my opinion.

3) Use distinct passwords for each account in the test environment.

This is easy enough to do, it's mainly a question of distributing the passwords to the testers so that they can get in and do their jobs. Depending on your organization, this may or may not be easy.

4) Don't provide passwords to the testers, but allow them to reset them on demand.

Similar to the previous item, but gets around the distribution issue by making it an after the fact auditing issue. If Fred requests the CEO's password in the test system, it's very easy to audit for that and force Fred to explain why he felt that was necessary.

Computer security is typically focused on preventing people from doing things, but in some cases this model of auditing and disciplining after the fact may be OK.

This model reminds me of when we took our dog to a dog trainer a long time ago that recommended leaving a steak or something else on the kitchen counter for the dog to find. This was in conjunction with hiding around the corner so that at the moment the dog put his paws up to grab the steak, you would jump out and impress upon the dog that it wouldn't be wise to do that again. A real-time security audit if you will :-)

What are some of the less pragmatic options?

5) Have a new version of PeopleTools that can detect when a database is copied, and automatically scrub key information like node passwords, GUID, etc.

The implementation of this would be platform specific, but do-able. It would complicate things like having a hot database backup server though. I'm sure those sorts of issues could be addressed though.

6) Embed additional information beyond just node name and node password (like database name) in the PS_TOKEN cookie.

One issue that I can think of with this is that older PeopleTools versions would not be able to interoperate with this, but it could be a flag on the node definition as to whether interoperability with earlier versions of PeopleTools is required. If interoperability was required, then the existing PS_TOKEN format would be used, otherwise the newer format would be used.

Why didn't they know about this?

PeopleSoft Single Signon is documented in PeopleBooks, but there aren't any great writeups out there on the implications of it when cloning a PeopleSoft environment.

There are lots of writeups out there on "How to Clone a PeopleSoft Environment", and some discuss the importance of getting the node configuration correct, but they typically come at from the perspective of just making sure the environment works; not the security implications of it.

PeopleSoft Single Signon is well documented in PeopleBooks, but it just doesn't seem to jump out at people when thinking about cloning. I will give a shout-out here to Brent Martin of ERP Associates. Brent's writeup on cloning a PeopleSoft database is the only one out there that I could find that mentions this issue at all.

Labels: 2009, Audit, Security, Sysadmin

In our previous blog post we introduced a Continuous Integration server called Hudson to run automated tests against a PeopleSoft system for us. We didn't really get into any test content itself though; we just ran some dummy Application Engine code to show how Hudson can work with PeopleSoft.

Now that the framework piece is in place though, we can begin creating tests. For this blog post we're going to focus on testing functional aspects of PeopleSoft, not performance testing.

Functional Testing Webinar

Before getting into the details, I wanted to point out that we have an upcoming webinar on this exact topic on May 20th, so if you're interested be sure to register for that.

Functional Testing Options

There's a variety of different ways for doing functional testing. Dave Bain from Oracle recently announced the availability of a PeopleSoft specific unit testing tool called PS/Unit. We'll look at PS/Unit in an upcoming post, but if you're not familiar with unit testing you can think of it as testing the lowest level "units" of your code.

Another approach is doing browser-based testing. Browser based testing means having automated tests that drive an actual web browser instance and simulate an actual user's behavior. The primary benefit of browser based testing is that you can be reasonably sure that you are testing PeopleSoft as your users will be seeing and working with it.

In fact, browser based testing can be thought of as automating the way that most people test their PeopleSoft implementations today; which, sadly enough, is by having some of their functional users run through a series of manual tests in their browsers. Expensive, error-prone, incomplete are some of the adjectives that spring to mind when describing manual testing. Not to mention just the hassle of trying to get the functional users to participate in testing. They may be willing to participate once or twice, but if you need to incorporate any additional testing beyond your original project plan, it is a major hassle.

Browser based testing

Back in the old client/server days, PeopleSoft used to bundle SQA Robot (later purchased by Rational/IBM) because it understood something about the Windows controls used PeopleTools for creating the UI. These days the PeopleSoft UI is HTML/Javascript and there are lots of freely available tools that we can use for testing.

One tool that we like for functional testing via the browser is called Selenium. Selenium can run tests across multiple different browsers, and there is a plugin for running Selenium tests via Hudson so we can automate the execution and management of our automated tests.

Getting Started with Selenium

Before we get into running our Selenium tests in Hudson, we need to create some tests. The easiest way to do this is with the Selenium IDE, which is a Firefox plugin and can record, edit and debug tests. The tests themselves can be executed in other browsers, so we're only dependent on Firefox for our initial test development.

So if you're not already in Firefox right now, switch over to Firefox and launch the Selenium IDE plugin installer. Here is the current link, which is for version 1.0 beta 2, but you can check their download page as well to see if there are updated versions available.

Your First Test

After installing Selenium IDE, you can launch it from the Tools -> Selenium IDE menu in Firefox.



When Selenium IDE launches it automatically starts in recording mode, so you can switch back to your main Firefox window and begin working. For this first example, I

• Entered the URL for the PeopleSoft signon page


• Typed in the password (the user ID was already defaulted for me)


• Clicked "Sign In"


• Waited for the portal home page to load


• Clicked the "Logout" link

Then I switched back to the Selenium IDE window and stopped recording by clicking the Red button in the recording toolbar (unfortunately there are not keyboard equivalents for the Selenium recording toolbar). Let's see what Selenium captured for us.



The first thing to notice is that Selenium has captured http://www.gsdemo.com as the base URL. All URL commands will be relative to this (there are some extra things to know if you plan to write tests that go across more than one base URL).

The first actual command that Selenium has captured is the open command. All Selenium commands take the form of Command, Target, Value. Here the target is the URL /psp/ps/?cmd=login, which gets combined with the base URL. This opens the login page.



Next is the type command, where we entered the password. In this case Selenium realized that the pwd DOM ID for the password field was the simplest choice that would work. You'll notice that the Target editbox has become a dropdown box which shows some alternate methods of referencing the password field.



The next command is the clickAndWait command. Selenium recognized the Sign In button via it's DOM ID of Submit and used that.



The last command is also the clickAndWait command, but when we logged out, there was no unique DOM ID that was associated with the Logout link, so Selenium recognized the click by noting that the link text was Logout (eagle-eyed readers will note that the logout text in this environment has actually been customized from an earlier blog entry).

At this point we can repeatedly click the play button in the Selenium recording toolbar and watch the browser login and logout. There are actually two play buttons, one is for the current test case and one is for playing back an entire test suite (which is many test cases grouped together). In this instance it doesn't matter, but once you actually create test suites, then you'll want keep them straight in your head.

If you have any problems at this point playing back the test, you can try adjusting slider control in the Selenium IDE toolbar towards the "Slow" end. This causes Selenium IDE to wait a bit longer for commands to show some results.

Modifying the Test

Each of the commands that Selenium captured for us is modifiable, including being able to delete it. So to make our test a bit more exciting, we highlight the last command (the clickAndWait command that logged out) and delete it, since we don't want to logout just yet.

Then play the script again. This time when the script finishes you will be left on the portal home page (since we're not logging out). Pressing the Record button will start recording again at the end of the script.

This time we will navigate via the portal menu navigation to PeopleTools -> Security -> User Profiles -> User Profiles. Once the User Profiles component search page is up, we type in PTDMO and then press the Search button.

Before playing back this script, I made one manual edit. I changed the very top command from navigating to cmd=login to cmd=logout. PeopleTools will send back the signon page in both cases, but by starting with the logout command you clear server resources from the previous script run. Your system administrators will thank you for this small act of kindness :-)

When playing back the script, I have a small problem; the script does not playback successfully. It tells me that it can't find a frame named "NAV".

The source of the problem is that Selenium does not quite understand the way that PeopleTools is doing it's navigation. When we click on the first navigation link from the Portal home page Selenium records the following two commands.

1. Command: clickAndWait, Target: link=(the name of the link)


2. Command: waitForPopup, Target: _parent, Value: 30000

After we leave the portal home page though, we are getting into PeopleTools generated HTML frames. The next command that Selenium IDE records is Command: selectFrame, Target: name=NAV. The NAV is the name that PeopleTools gives to the menu frame once we leave the portal home page. What we want at this point is for Selenium to wait for the NAV frame to load before we select it, but the commands that Selenium is generating are only waiting for our top level page to load.

Rather than run the entire test at a slower rate so that we're sure that the navigation frame is loaded, we'll insert an extra command before the selectFrame command that will tell Selenium to wait for that frame to load. To do that we

1. Right click on the selectFrame


2. Select "Insert New Command" from the popup menu


3. Type waitForFrameToLoad in the Command edit box


4. Type TargetContent in the Target edit box


5. Type 30000 in the Value edit box

One cool thing about Selenium IDE is that as you enter commands, you get type-ahead support for what commands are available. Once you select a command, then you get the help text for it automatically displayed at the bottom of the IDE window. Very nice! Here's a full list of all of the different commands that Selenium supports.

The other nice thing about the IDE is that we can copy and paste our waitForFrameToLoad command instead of typing it in everywhere. There are a few more places in our navigation script where the selectFrame command is used, so we'll paste it before each one. That allows us to run our script at full speed, but have it wait for the navigation to finish loading if the webserver is slow for some reason. Note that after we finish navigating we are then waiting for the frame called "TargetContent", so we use that name instead.

Skipping Navigation

In some cases you may want to include the navigation portion in your tests, but in many cases you'll want to just test a certain functional area. A good trick for doing this is just have Selenium go straight to the page that you want instead of navigating to it.

The open command in Selenium can be used in the middle of your test scripts, not just at the beginning, so we can replace all of the navigation commands with the open command and the value "/psc/ps/EMPLOYEE/PT_LOCAL/c/MAINTAIN_SECURITY.USERMAINT.GBL". Note that we used the psc servlet instead of the default psp. That will completely bypass the portal and just load the underlying component itself.

Making Assertions

Part of testing is making assertions about the behavior that is seen. Selenium supports making assertions about things as simple as text being on the page to whether specific cookies are present (a good way of checking that you are logged in is asserting that you have a PS_TOKEN cookie) and even as detailed as making assertions about the HTML source code that has been generated for a page.

There are somewhere in the neighborhood of around 100 different things that Selenium can make assertions about, so you should be able to come up with something that helps you validate the desired functional behavior that you are testing. For the example that we have been going through I added a the assertTextPresent command with the Target set to "Confirm Password" since that is the label for one of the fields on the User Profile page. This assertion will return true if "Confirm Password" is present anywhere on the entire page.

We can make some tighter assertions by narrowing the focus from the entire page to specific elements. The above assertion could also be implemented as the assertText, which takes an element locator in addition to the text that is being checked. We saw the use of element locators when working with the login form above; an element locator is just some way of identifying a single element on the page.

PeopleTools will typically generate unique IDs for each form field on page. These are normally the underlying record name and field name for the underlying value in the database (with row numbers if working with multiple rows). In the case of checking a label, PeopleTools will generate a "label" element, with the "for" attribute referencing which form field the label is for.

In this case, we end up with our element locator as //label[@for='PSUSRPRFL_WRK_OPERPSWDCONF'] because we want the label for the OPERPSWD_CONF field from the PSUSRPRFL_WRK record.



In the above screenshot we can see that our assertTextPresent assertion passed, but our assertText assertion failed. Selenium IDE provides the reason for the failure in the log though. The assertText assertion is making an exact check of the element's text, while the assertTextPresent assertion merely checks that the text exists at all across the entire page. Since PeopleTools is generating a colon at the end of the label, we would need to incorporate that in our assertion.

Saving Our Tests

Up to this point we haven't saved our test logic at all. In the Selenium IDE window, select File -> Save Test Case (or press Ctrl-S for a keyboard equivalent). You'll be prompted for a file name. I selected TestUserProfile.html. By default Selenium stores it's list of commands in a special HTML format, which is why we used that extension.

You can also have Selenium export a test case to various other programming languages (Java, C#, Perl, PHP, Python, and Ruby are all supported currently). The benefit to using a programming language for controlling Selenium is that you can then do things like have conditional logic, common subroutines, etc. The drawback is that you lose the ability to use Selenium IDE to work with them at that point. We'll stick with the plain HTML format for now while we're still getting familiar with Selenium, but future blog posts will get into using the programming language integration.



In the above screenshot you'll notice that I expanded out one section of the Selenium IDE window. That shows us the current test case being worked (TestUserProfile). If we click File -> New Test Case, we'll get an "Untitled" entry added in the list of test cases and an empty list of commands. We would then build up our test case just like we did above and save it.

Once you have a few test cases, then you can select File -> Save Test Suite to group the test cases together. You can copy and paste commands between different test cases, so if you find one test case is starting to cover too much functionality, you can break it into multiple test cases this way. Selenium lets you run either single test cases or run an entire test suite together, so you can break things in manageable chunks without losing the ability to group things appropriately.

I did notice a bug in the test case re-ordering within the Selenium IDE window though, so after you save your test suite, you'll probably want to open to the open the test file and re-order the tests listed there so they match the order that you want to run things in.

Wrapping Up

Now that we can start coming up with some meaningful tests, the next steps from here are to incorporate the execution of our tests into our Hudson environment so that they can be run automatically for us.

We'll also want to start integrating all of this with version control. We not only want to start keeping track of the different versions of our tests, but we also want to tie the execution of our tests to changes that are happening with the underlying PeopleSoft objects.

That way if a working test starts throwing assertion errors at some point, we'll be able to see exactly what changes were implemented in PeopleSoft that caused the problem, along with who did it and the underlying reason that the changes were implemented. And if necessary, revert those changes to put things back the way they should be.

Labels: 2009, Browser, Sysadmin, Testing, VersionControl

We've talked with a few different PeopleSoft customers recently that use Active Directory with PeopleSoft, but the AD teams in their organizations don't provide access to test Active Directory servers for applications that integrate with AD.

Microsoft saw this sort of thing coming awhile back and came out with something called Active Directory Application Mode (ADAM). They've changed the name since then to Active Directory Lightweight Directory Services (ADLDS), but you'll mostly find references to ADAM in various writeups out there. ADAM is the same codeline as Active Directory, but intended for just this sort of scenario.

The cool thing about ADAM is that it runs as a standalone service (it can even run on machines that are not members of a specific domain), so it's much easier for the PeopleSoft support team to put up a copy of ADAM on a machine somewhere for development and testing purposes.

ADAM/ADLDS is included as an optional component of Windows Server 2003 R2 or you can download it free from Microsoft. You can even run it on an XP workstation if you don't have the ability to put it on a server.

A good place to begin with using ADAM is this writeup on DevX. It is not PeopleSoft specific, but it will help you get everything up and running. Then you can configure your dev/test PeopleSoft instances to talk to ADAM instead of your production Active Directory servers so that you can test out different scenarios to see how they behave without incurring the wrath of your AD administrators :-)

Once that is up and running, then you can use our LDAP query tips and techniques to enhance the PeopleSoft delivered integration.

Labels: 2009, LDAP, Microsoft, Sysadmin

There's a thread going on over at ITToolbox about remote access to using psadmin.

As the commenters there point out there isn't anything available that directly exposes psadmin over the network, so you generally need to use tools like SSH or Remote Desktop to gain access.

In a lot of cases though, it's tough to sweet talk those overworked and underpaid system administrators into giving you access to the machine, especially when there is more than just the development environment on the machine.

If you just need access to start and stop application server and process scheduler domains there are some options though.

Unix/Linux.

Let's assume that you have a Unix shell account called psft that is used for managing the PeopleSoft domains, but developers aren't allowed direct access to this account. Instead, we'll create a couple of simple shell scripts that certain developers will be able to run

We'll start by creating a simple shell script for starting and stopping a particular domain.

Example hrdev_boot.sh

#!/bin/sh

psadmin -c boot -d HRDEV

Assuming that this file exists as /home/psft/hrdev_boot.sh, the system administrator can use the root account to edit the /etc/sudoers file (done through the visudo command - not a regular editor)

The following entry in the sudoers file would grant chris the ability to run this script as psft without knowing the psft account password. As long as chris does not have the ability to edit this shell script, then this is safe.

chris ALL = (psft) NOPASSWD: /home/psft/hrdev_boot.sh

From a shell prompt, user chris could boot the HRDEV application server domain like this.

chris@psft-server:~$ sudo -u psft /home/psft/hrdev_boot.sh

Using the ability of SSH to start remote commands and certificate-based authentication, we can even run these commands remotely. The following command issued from my laptop will boot the HRDEV appserver on psft-server.

chris@chris-laptop:~$ ssh psft-server 'sudo -u chris /home/chris/hrdev_boot.sh"

Windows.

On Windows what we'd like to do is let a developer start and stop a service for the HRDEV application server and process scheduler, but not have access to anything else. Windows will let us accomplish this without the developer even having direct access to the box.

In the Windows Services applet on the developer's own machine, they select Action -> Connect to another Computer ...



Then the developer can manage the services on the remote server....except that the developer's network account does not have access yet. Let's fix that.

Windows does not provide direct access to the security for each service in the Services applet, but it can be set through Group Policy. An alternative to using Group Policy is to just use the subinacl command line tool (downloadable from Microsoft if it's not already installed)

The server administrator would then run something like the following to grant the developer access to administer the service.

subinacl.exe /verbose /service \\psft-server\HRDEV_appserv_e_hcm90 /grant=chrisheller=F

which gives the following output

HRDEV_appserv_e_hcm90 : new ace for greysparling\chrisheller
HRDEV_appserv_e_hcm90 : 1 change(s)


Elapsed Time: 00 00:00:15
Done: 1, Modified 1, Failed 0, Syntax errors 0
Last Done : HRDEV_appserv_e_hcm90

Note that the service name being used there is one that was built with our Services Manager for PeopleSoft product, but the concept of granting service level security works with the standard PeopleSoft services as well. You would just need to install separate PSHOME directories for each one that you want to secure separately.

You can do similar things for the WebLogic service and the database service (although typically developers don't have much reason for restarting the database itself).

Labels: 2009, Process_Scheduler, Security, Sysadmin

Kudos to Oracle for making virtual machine templates available for the Oracle/Siebel applications.

Oracle is also making templates available for some of their lower level components as well (Oracle 11g, Enterprise Linux, Enterprise Manager), but the applications template are a bit of a milestone. To the best of my knowledge, this is the first instance of anyone making an enterprise application available via virtual machine this way.

Enterprise application delivery via virtual machine has the potential to flip some momentum back from the SaaS model (who generally have offered easy trials of their applications; just sign up and start using it). On premise software becoming simple enough to install and manage as to be competitive with SaaS is a much broader topic than I'll touch on in this post, but as Vinnie would tell you, there's lots of room for improvement with on-premise software.

Now all we need for PeopleSoft is for Oracle to start delivering new PeopleSoft releases and maintenance packs this way. I've been chewing on Jeff Robbins' ear on this topic for a little while, so this just provides some new fuel for me :-)

Update : Oracle is now making PeopleSoft applications available as well.

Labels: 2008, Oracle, Sysadmin, Upgrade, Virtualization

Jim Marion has a good writeup on his blog with some ideas for customizing the PeopleSoft signout page, but it doesn't directly cover a common use case that I get asked about a lot, which is redirecting the user somewhere else at signout time.

A common reason for doing that is if you have a primary portal, such as the Oracle Portal, that provides access into your PeopleSoft applications. When the PeopleSoft session is done, you want the user to return to the main portal home page. Another reason is that you have some sort of single signon external to PeopleSoft, so you don't want the PeopleSoft users to see the PeopleSoft signon page.

How to do it

The process for doing this is pretty straightforward. The HTML that gets displayed at signout time is defined in the "Look and Feel" page of the Web Profile. One common source of confusion with the values defined on this page is that they are not URLs, but they are references to files in the web server. So you can't set a different URL here, you need to have the redirection logic in the appropriate file on the web server.

By default, the file that gets displayed at signout time is called signin.html. We'll want to make a copy of this since by default it gets used for the signon page as well as the signout page. You can give it a name like signout_redirect.html ; end users will never see this name though so just name it so that you remember it's purpose later. Whatever name that you call it, you'll want to reference that name for the logout page in your Web Profile.

For example, if you wanted to send your users to the Grey Sparling home page with a 0 second delay when they log out from PeopleSoft, you would add the following line immediately after the <HEAD> tag at the top of your new file.

<meta equiv="REFRESH" content="0;url=http://www.greysparling.com/">

The contents of these files are read into memory when the web server starts up, so you'll need to bounce the web server in order to get that to take effect.

Preventing Page Flash at Signout Time

What I've outlined above is the simplest way to solve the problem. One small usability issue exists though. In spite of the fact that we have specified 0 seconds for the delay, the browser will still render all of the HTML onscreen before sending the user to the new home page. The best course of action here is to remove everything between the <BODY> tags. That saves the browser from having to render the page so it can get to the redirect quicker. There is still a quick page flash, but it is quicker and it is just a blank screen so it doesn't look quite as bad.

The HTTP gurus in the crowd are probably wondering why this isn't solved with an HTTP level redirect, which would make the whole page flash issue go away. The answer is that you don't have easy access to do this. You can use some of the options that Jim mentions in his blog (we do something similar in our ERP Firewall for PeopleSoft product) if it is really a big deal to you though.

Upgrade Issues

Each time you install PIA (whether from an upgrade or just adding a new web server) you'll need to copy this newly created file from an existing web server (since you no longer care about what new features/layout changes that Oracle might add to these pages in new releases).

If you install a lot of web server instances, you can put this file in the setup program so that you always end up with your custom one instead of the default. Just search for the file PTSitePsftdocs.jar in your PSHOME\setup directory. That has the source files that get put into the web server.

Session Expiration

Thankfully there is a separate page that gets displayed when a session expires vs someone signing out. That file is called expire.html. You may want to setup some separate handling for this one so that the user does see a message about their session having timed out instead of just being redirected to a different page.

Where are the files?

The actual files to edit in the web server are stored in WEB-INF\psftdocs\<sitename>. I'd list the whole path, but it's so incredibly deeply nested that you'd need a special wide monitor for the browser to be able to scroll that far :-) That's a subject for another blog post some day though.

Can I change signout behaviour based on the user?

By the time the signout page is displayed, the user's session has already been wiped out. You no longer even know who the user is/was. There are no PeopleCode events that run at signout time by default (although it can be done).

Read Jim's blog post or talk to us about ideas for getting around this.

Any other tips?

If you want to change the label/text of the Signout link, it is defined in the Message Catalog. The message set number is 95, and the message id is 408. Don't forget to update any other languages that you may be using with your PeopleSoft applications.

Labels: 2008, Security, Sysadmin

Steve Chan has a link to an iSeminar from Cliff Godwin with some real meat about details on how the technical upgrade to Fusion is planned to work.

The screenshot from the presentation on Steve's website nearly made me spit out my drink though. The actual title of the tool is called "Upgrade Assistant for Fusion". One of the bullet points says "Leveraging the best ideas from PeopleSoft Change Assistant".

Don't get me wrong; the PeopleSoft Upgrade Assistant (which became Change Assistant after it learned how to deal with maintenance as well as upgrades) is a whole heck of a lot better than some of the old manual processes in PeopleSoft upgrades, but most PeopleSoft customers aren't huge fans of Change Assistant. Change Assistant has been around for awhile now¹, so a lot of folks have forgotten how much of an improvement that it really was.

In fact, when we first started Grey Sparling, we considered doing product packaging as Change Assistant Change Packages (A "Change Package" is essentially just a .zip file that obeys Change Assistant's structural conventions about what files/directories are in it; similar to the Java .jar file format), but we got a lot of pushback. Customers told us that they didn't use Change Assistant for anything beyond just standard PeopleSoft maintenance, and therefore didn't have it up and running in demo and test environments, which is typically where people install our evaluation versions.

What Change Assistant Needs

What does Change Assistant really need, even before Fusion? Two things.

One is to beef up the logic for dealing with large volumes of patches and fixes. There's one bug in particular that rears it's head regularly where there will be pauses of several minutes between each file being copied. I've seen this in action at customer sites and it came up as a question during one of the OpenWorld sessions as well. It's not a slow file copy; each file gets copied quickly. It's more like some sort of "don't swamp the network" logic swung the pendulum too far on the conservative side. People really hate this.

The other is a bit more focus on using Change Assistant as part of the regular customization process. Application Designer actually has support for PeopleSoft customers to create their own Change Packages when doing custom development, but it's not well documented or supported. This forces customers to require other procedures in place for moving customizations around (since even to this day, there are almost zero PeopleSoft shops that don't have any customizations). Since customers end up dealing with this, learning (and understanding; see item 1) Change Assistant is viewed as an extra cost.

In keeping with that second item of better integration with customer development processes, we here at Grey Sparling will have some Change Assistant integration for our version control product. Since we're already dealing with all of the pieces of a Change Package anyways (App Designer projects, SQRs, Crystals, etc.), it makes sense to go ahead and add knowledge of what a Change Package is to the product so that you can version your PeopleSoft Change Packages just like anything else and have that more deeply integrated into your development processes.

1) The number one hit on Google for "Change Assistant" is a link to the original Change Assistant Flash demo from back in early 2004. If you watch the actual demo and pay close attention you can actually see one of the demo environments labeled APOGONOS.

Andrew "Pogs" Pogonoski was the original product manager for a bunch of the work that went on to actually have PeopleSoft be able to deal with all of the Customer Connection integration and hosting the Web Services that provide Change Assistant with it's data. All of the actual demo that you see in the movie is him working away.

It's safe to say that without Pogs' diligence at the large amount of cat herding involved that Change Assistant never would have gotten off of the ground.

Labels: 2008, Fusion, Sysadmin, Upgrade, VersionControl

If you run PeopleSoft applications on Windows, then you've probably been annoyed at one time or another by the way that the services are setup. Not the web layer so much as the application server and process scheduler. I know I have gotten annoyed with it :-)

There's a few problems with the way it works out of the box.

The first problem is that when you setup the services (option 3 in psadmin - "Services Setup"), you have to choose which application server domains and process scheduler databases that you want to be started. There's no way to separate multiple application server domains or even keep an application server and a process scheduler. It all gets installed as one Windows service called "PeopleSoft c:\pt848" (or wherever your PS_HOME was installed).

Why would you want them separated? Well, it's nice to be able to bounce things independently. Suppose you change some process scheduler configuration and you need to restart the process scheduler. You don't want to annoy all of your online users. Or maybe you have application server domains that serve different purposes. When we install our software at customer sites, we almost always see shops with DEV, QA, UAT, etc. installed in a single PS_HOME directory. If your developers need to bounce an appserver, then you don't want them interfering with your testers. Most people do keep production domains separated from the rest though.

Of course, even with the services setup, you can still go into psadmin (or can you?) and bring domains up and down, but lots of places don't want non-administrators to be able to reconfigure anything. Unfortunately psadmin does not have a mode where you can grant access to start and stop a domain, but not change the configuration of it.

With separate services, you can not only start and stop them independently, you can also use tools like sc (downloadable from Microsoft as part of the Windows Server 2003 Resource Kit). Then you could allow your remote developers the ability to reboot their dev domain with out granting them access directly to the server at all.

Another problem is that the psntsrv.exe process that launches psadmin to start or stop a domain does not integrate well with either the Windows Services APIs or with psadmin itself. If a domain takes a long time to boot for some reason, you'll end up getting an error about the service failing to start, even though psadmin is still starting things.

As long the domain ends up starting properly, this isn't such a big deal, but if the domain fails to boot for some reason after Windows thinks that it has failed to start, then there's no automatic corrective action that can be taken. Also, psntsrv.exe relies purely on the exit status of psadmin.exe to decide whether a domain started or not. Unfortunately, this is not 100% reliable. Of course, if you can't trust the service status when the service is just a single domain, you certainly can't trust it when it is managing multiple app server domains and process schedulers under a single service definition.

Another nice thing that you can do with separate services and service statuses that you can trust is take advantage of Windows service dependendencies. David Kurtz explains this well over on his weblog (including some caveats about when not to use them).

An example use might be having your DEV appserver domain wait to start until your DEV database service available. That particular example presumes that you have the appserver and database server on the same physical box and that you're running a database engine that will create separate services for each database (such as Oracle), but you get the idea.

Rather than sit around complaining, we at Grey Sparling went ahead and built something that addresses these issues(1). The Grey Sparling Services Manager solves these problems as well as providing a few other handy features.

• Create separate Windows service definitions for each application server domain and process scheduler domain that you have.
  
• Sane service names so that you can script them with things like "net start" or sc, and have the script make sense. An example service name would be something like HCM9_appserv_c_pt848 (domain name _ domain type _ directory name)
  
• Watches domain status and will set service status accordingly. So if someone goes in and shuts down a domain manually with psadmin, the service status will change to reflect that. This means that you restart the domain remotely utilizing the service management tools described above even when the domain was stopped manually.
  
• Logging directly to the Windows Event Log. Each time a domain is started and stopped, the output from psadmin is captured and saved to the Event Log. This is also useful for remote administration.
  
• Nice graphical installer that guides you through the process of creating (or removing) service definitions (there's also a command line interface for doing this if for some reason you are managing lots and lots of domains)
• Enables tighter integration of PeopleSoft applications with enterprise management tools such as Oracle Enterprise Manager, Microsoft Operations Manager, etc.
  

We have a Flash demo of the Services Manager in action, you can take a look at a short Flash demo here.

If you'd like to get a copy, we're making it available free to all Grey Sparling customers. If you're not a Grey Sparling customer yet (and why aren't you?) and you'd like to take it for a test spin, we can have an evaluation version up and running in your environment in about 5 minutes. It's really that straightforward. Just shoot us an email or give us a call.




1) We actually built this a few months back, but this posting has been sitting in the queue for a bit.

Labels: 2007, Sysadmin, Windows