Tuesday, December 08, 2015

PeopleSoft Support of TLS 1.2 when connecting to LDAP/HTTP servers using LDAPS/HTTPS URLs

Currently all PeopleSoft PeopleTools releases including 8.55 only supports Java 1.7 for the Appserver. Java 1.7 by default only enables support for SSL 3.0 and TLS 1, though it supports both TLS 1.1. and TLS 1.2. They are not enabled by default. This is easy to fix for HTTPS connections by modifying JavaVM options the following parameter to Appserver (psappsrv.cfg) and Batch server (psprcs.cfg) config files

JavaVM Options=-Dxdo.ConfigFile=%PS_HOME%/appserv/xdo.cfg -Xms32m -Xmx128m -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

Once you modify the Parameter, simply restart the Appserver or batch server and it will take effect. There is no need to reconfigure the appserver or batch server.

Please note this only work for HTTPS connections for e.g. when connecting to Integration Gateway Web server which only accepts TLS 1.1 or TLS 1.2 connections.

To make this also work for LDAP or Directory server that is configured to accept only TLS 1.2 connections for compliance with PCI DSS v3.1 (mandatory after June 30 2016), a code change to $PS_HOME/appserv/classes/psft/pt8/pshttp/PSLdapSSLSocketFactory.class is required so that it uses TLSv1.2 instead of SSL for the below code line.

SSLContext sslcontext = SSLContext.getInstance("SSL");

needs to be changed to

SSLContext sslcontext = SSLContext.getInstance("TLSv1.2");

Currently there are no configuration parameters to fix this issue. Please open a support case with Oracle and reference the below bug number if you need the fix for this issue.

There is an open PeopleSoft bug to address this issue.

22323376 - LDAP FAILS TO CONNECT TO LDAP SERVER USING TLS 1.2 to address this issue.

This will impact any PeopleSoft applications that are considered as PCI In scope applications and uses TLS 1.2 for Autnetication with LDAP Directory server using LDAPS protocol.

You will see the following error in the Appserver when connecting to LDAP server using delivered Page.

[Root exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]

Please note PeopleSoft uses JNDI to connect to LDAP Directory server via delivered Directory Interface Business interlink.

Thursday, September 17, 2015

Global Database Link feature in Oracle 11G can result in Peoplesoft Signon Failure

If you use Oracle Internet Directory (OID) to resolve database names, then you have this feature enabled by default. With Global database link feature, users can access tables/view in other database using @dbname syntax even when there is no explicit database link is created. For e.g User A logged in to Database A using his personal id : XXXX can run the below query to access table in database b. Only thing that is needed to make this work is that password for the user A must be same in both database A and B.

select * from ps_job@databaseb

This may create a potential locking situation,if password in database are not synced up and there is an account lock policy implemented to lock account after x invalid attempts. As soon as user runs more than x sql statements using global database link feature, it will lock the account in database b. When you look at dba audit trail, you will see the connection attempt was made by oracle user and machine name will be of database server machine name. This makes it confusing to determine how this account got locked up.

This is even more dangerous, if some one runs a SQR or Application engine program using peoplesoft process scheduler with a remotedbname sysntax for sql for e.g. ps_job@databaseb

This is because, PeopleSoft process scheduler runs the sql using database access id in database A, which inurn access the database b using the access id password in Database A. Most likely you would keep the database access id password (default : SYSADM) different for different databases and this can potentially lock the sysadm password in database B due to account lock out policy. If this happens, users will see when trying to access the application

“Bea.jolt.serviceexception: TPENOENT – No entry”

image

You can find more information on this at My Oracle Support

What are Global Database Link and How do you Disable them? (Doc ID 1632329.1)

http://docs.oracle.com/cd/E11882_01/server.112/e25494/ds_concepts.htm#ADMIN02801

If this happens in your environment, Please check if database access id is locked out. If yes, unlock the database access id and restart all your app and batch servers.

ios9 Safari PeopleSoft Pages appear zoomed

After the recent upgrade to iOS9 from iOS 8.4.1 on iPAd Air and iPhone 6, PeopleSoft pages appears zoomed and entire UI looks messed up using safari. Our PeopleTools environment is 8.53.12 and this is reproducible in multiple demo environments including HR and Portal 9.1.

Stpes to reproduce the issue

1. Login to HRMS 9.1/Portal 9.1 Demo instance using iPad or iPhone running iOS9 using Safari

2. Open System Profile page

Screenshot of the zoomed page.

cdas_demo1_modified

Update from Oracle Support

This is a known issue tracked by

Bug 21626379 - IOS 9 BETA 5: CLASSIC PAGES ARE NOT RENDERING PROPERLY.

Apple Development is currently working on the issue

Updates : Issue is not resolved even with release of 9.1 and according to apple support they are still investigating the issue and it will be fixed in some unknown future release. Meanwhile Oracle has provided the workaround. Please test carefully before applying the workaround.

Please refer to following E-PIA Peoplesoft Classic Pages Are Not Rendering Correctly In IOS 9 (Doc ID 2057957.1)

for the workaround. It is different for 8.53 and below and 8.54 and above. 

Monday, August 31, 2015

You are not authorized to access this component. (40 20)

You may see this error message, even if you have granted correct security. To resolve this please run the below sql. Open the role and delete the orphan permission list or remove the role from the user and issue will be fixed.

This was happening as user has a role that had a permission list that did not existed in the database. This happens when the project is migrated to target database but does not include the permission list.

non-existing permission list assigned to the role.

Select R.rolename
, RC.classid
From psroleuser R
, psroleclass RC
Where RC.Rolename = R.Rolename
And not exists
(Select 'X' from psclassdefn C
Where C.classid = RC.classid)
And R.roleuser = '[--OPRID—]'

Original Post appeared in :

http://eliandokp.blogspot.com/2010/02/component-error-you-are-not-authorized.html

Monday, April 13, 2015

Running a BI Publisher Report from an online page logs user out of PIA

When user runs a BI Publisher Report from an online PIA page by clicking a button and this report is based on a Query, user sees the below message.

An error has occurred. You may attempt to sign in again. If your attempt fails, please contract your System Administrator.
Please make sure Webserver and Appserver are up. null

image

In the Appserver Log, we see the error

PSPAL: Abort: Unexpected signal received
PSPAL: Abort: Location: /vob/peopletools/src/pspal/exception_sigaction.cpp:494: RecoverableSignalHandler
PSPAL: Abort: Generating process state report to /opt/test/psft/pt/8.53/appserv/prd/LOGS/PSAPPSRV.10742/process_state.txt

Inside the process_state.txt, we see that RuntoFile is actually generating the exception and killing the appserver thread.

#2  0x00007f7012a8f224 in PSPAL::DumpProcessState::GenerateAbortDiagnostics(char const*, PSPAL::ExceptionContext*) () from /opt/test/tools/bin/libpspal64.so    #3  0x00007f7012a8386b in PSPAL::Abort(char const*, char const*, int, char const*, PSPAL::ExceptionContext*) () from /opt/test/tools/bin/libpspal64.so
   #4  0x00007f7012a89191 in PSPAL::SigactionSignalHandler::RecoverableSignalHandler(int, siginfo*, void*) () from /opt/test/tools/bin/libpspal64.so
   #5  0x00007f7012a89a65 in PSPAL::SigactionSignalHandler::SignalHandler(int, siginfo*, void*) () from /opt/test/tools/bin/libpspal64.so
   #6  0x00007f6ff6e15f12 in os::Linux::chained_handler(int, siginfo*, void*) () from /opt/test/tools/jre/lib/amd64/server/libjvm.so
   #7  0x00007f6ff6e1bbf6 in JVM_handle_linux_signal () from /opt/test/tools/jre/lib/amd64/server/libjvm.so
   #8  <signal handler called>
   #9  0x00007f700f03619f in QpmEnd () from /opt/test/tools/bin/libpssys.so
   #10 0x00007f70088b7815 in CPSQuery::CleanupQueryExecution(void*, void*) () from /opt/test/tools/bin/libpsoftapi.so
   #11 0x00007f70088fa777 in CPSQuery::RunToFile(IPSRecBuf*, wchar_t const*, int, int) () from /opt/test/tools/bin/libpsoftapi.so
   #12 0x00007f70088c28fc in _IPSQuery::InvokeMethod(wchar_t const*, IPSApiVariant*, IPSApiVariant**, int) () from /opt/test/tools/bin/libpsoftapi.so

Resolution: Please determine the Records used in PeopleSoft query that is used in BI Publisher Report definition. Please make sure that this record is added to permission list that belongs to the user running this report using Query tab in permission list component and accessing the Access group link. Once the permission list is modified add the permission list to the Role that is assigned to user if not already added. This resolves the issue. Noted this in PT 8.53.12.

Monday, March 23, 2015

Enable support for SHA256 SSL Certificate in PeopleSoft using WebLogic Web server.

Note: This is applicable for mainly PeopleTools 8.53 and it may or may not work with lower PeopleTools (8.52 or lower) or higher PeopleTools 8.54. Also this pertains to WebLogic and may not be applicable for Web Sphere.

WebLogic version used is 10.36.0

Step 1: Update the WebLogic to latest Patch Set update. If you already have WebLogic patch set update installed, you will need to uninstall it including one off patches and reinstall the latest Patch Set update for e.g. 10.3.6.0_10 for WebLogic 10.3.6. In case of WebLogic 10.3.6.0_10 please also apply the below one off patches to avoid SSLEngine is closed errors.

Patch 19637463: SU Patch [12UV]: WLS PATCH SET UPDATE 10.3.6.0.10

Patch 20674162: SU Patch [9UB4] :10.3.6.0.10 Overlay: MERGE REQUEST ON TOP OF WLS PSU 10.3.6.0.10 FOR BUGS 13244304 13371700 13405083 13869852

Patch 16810786: SU Patch [SK1V]: MEMORY LEAK ON COM.CERTICOM.TLS.INTERFACEIMPL.CERTIFICATESUPPORT

Step 2 : Disable SSL3 support for WebLogic (This is optional but highly recommended step to avoid security issues).

Add -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1 to JAVA_OPTIONS in setEnv.sh for appropriate OS you are using. For linux it is

JAVA_OPTIONS_LINUX="-server -Xms1024m -Xmx1024m -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1 -XX:MaxPermSize=256m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0"

If you are using both Managed Server and Admin Server, search for below line

#Changed the java min and max heap values for admin server

and update the below

Linux|LINUX)

                    JAVA_OPTIONS="-server -Xms256m -Xmx256m -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1 -XX:MaxPermSize=128m -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0"

Please note that once you do this any WebLogic utilities inclusing WLST (WebLogic Scripting tool), must add the below to Java command line invoking them

-Dweblogic.security.SSL.enableJSSE=true -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1

Otherwise you may see errors.

Also you will need to Go to WebLogic Console –> Servers –> PIA, WebLogicAdmin –> SSL Tab –> Advanced and select Enable JSSE checkbox.

Also you may want to upgrade to JRE or JDK 1.7.0_76 (or latest Oracle supported JRE / JDK for your weblogic server version).

Step 3: Remove the bouncy castle JAR file from CLASSPATH by moving it from lib folder for each webserver.

mv $PS_CFG_HOME/webserv/peoplesoft/applications/peoplesoft/lib/bcprov-jdk15-132.jar $HOME/tmp/

If you do not do this WebServer becomes unresponsive or takes longer to respond. Connection Reset errors will be seen in Chrome/FireFox/IE/Safari browsers when you will be using any ECDHE cipher suites.

Removing this Jar file, may impact some cryptographic functions though everything is working fine in our environment including webservice security. This is supposed to be part of wss4j-1.5.9.jar (Apache Web Services Security module) which is bundled with PeopleTools. This issue was observed in those web servers where we have enabled Integration broker gateway servers and use web services that involves security.

Restart the WebLogic after all the changes are complete and SSL certificate is imported in pskey using pskeymanager.sh

Also if there are any other applications are connecting to you using SSL or https, they will need to support SHA256 which in WebLogic 10.3.4 or higher is to enable JSSE support in WebLogic console or if your version is lower than 10.3.4 , use Sun HTTP Handler which automatically enables JSSE support.

How to Change Weblogic to Use the Sun SSL Implementation Rather Than Certicom
(Doc ID 1242974.1)

The SSL implementation and SSL Handler can be changed by setting the following flags on startup:
-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
-Dssl.SocketFactory.provider=com.sun.net.ssl.internal.SSLSocketFactoryImpl
-DUseSunHttpHandler=true
Also for Webservice clients, include:
-Dweblogic.wsee.client.ssl.usejdk=true

In the end Test! Test! Test! that all of this works correctly.

In summary supporting SHA256 support using WebLogic 10.3.6 or lower requires series of changes to make this work. Plan ahead and allocate enough resources to handle this migration. This will become important as major browsers will start flagging SHA1 certificates as insecure.

Useful resources : http://www.ssllabs.com and test your public website using their site scanner. Enable support for TLS 1.0, 1.1 and 1.2 and disable SSL 3.0 support in IE. For firefox/Chrome upgrade to latest version to automatically disable support for SSL 3.0.

If you encounter specific issues related to SHA256 implementation with WebLogic and PeopleSoft leave comments and I can try to provide help.

List of Bugs fixed in Patch Set Update - Doc ID 1942223.1

Some of the Error Messages I have encountered if settings are not correct are

javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received. (If JSSE is not enabled. Certicom SSL implementation does not support SHA256).

Enablig JSSE in WebLogic

<BEA-101104> <Servlet execution in servlet context "ServletContext@445892755[app:peoplesoft module:/ path: spec-version:2.5]" failed, java.io.IOException: SSLEngine is closed. at weblogic.socket.JSSEFilterImpl.checkCauseSSLEngineClosed(JSSEFilterImpl.java:383)

<BEA-101083> <Connection failure java.io.IOException: SSLEngine is closed at weblogic.socket.JSSEFilterImpl.checkCauseSSLEngineClosed(JSSEFilterImpl.java:385)

<BEA-000000> <weblogic.utils.net.SocketResetException: SSLEngine is closed>  at weblogic.socket.JSSEFilterImpl.checkCauseSSLEngineClosed(JSSEFilterImpl.java:431) only with Apple Safari Client when fetching CSS or Java Script using peoplesoft cs servlet.

java.lang.RuntimeException: Could not generate DH keypair

Caused By: java.security.InvalidAlgorithmParameterException: unknown curve name: 1.2.840.10045.3.1.7
    at org.bouncycastle.jce.provider.JDKKeyPairGenerator$EC.initialize(Unknown Source)
    at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:63)

To Enable SSL Debug options

# JAVA SSL DEBUG (in setEnv.sh) to troubleshoot SSL handshake issues.

#JAVA_OPTIONS_LINUX="-server -Xms1024m -Xmx1024m -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1 -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true -Dweblogic.security.SSL.verbose=true -Djavax.net.debug=all -XX:MaxPermSize=256m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0"

Tuesday, February 10, 2015

Application Designer Compare Report Slow

Recently After upgrade to People Tools 8.53 from PT 8.50, We have noticed that for a large project (611 items) compare report is running really slow taking more than 1 hour. This was even more slow (3 hours) if the database is located in remote data center.

Since People Tools 8.51 , PeopleSoft added the ability to write compare reports to database tables which was really causing this slowness.

If you are not planning to use the database tables to review compare reports, please do the following to speed the compare report process.

Go to Compare and Report –> Options

Select Report Option Tab and Uncheck Generate Output to tables.

image

This fixed the issue. you can also truncate the below tables if you do not need to store the previous version of compare reports.

truncate table PSCOMPDEFN;
truncate table PSCOMPITEM;
truncate table PSCOMPITEMDATA;
truncate table PSCOMPSESSION;
truncate table PSCOMPOBJDIFF;
truncate table PSCOMPOBJLONG;

The first 3 tables are no longer used in PT 8.54

MOS (My Oracle Support Articles)

E-UPG PT8.51+: Are Tables Updated with Compare Report Data? (Doc ID 1290456.1)

E-COMP: Generate Output To Tables Option Not Writing Results To The Tables In 8.54 (Doc ID 1958074.1)

E-PUM: How to Improve Performance on Step "Comparing ADS MO Project From File" (Doc ID 1965298.1)

Also you can export the configuration manger config file and add the following under PSIDE section below after line : UpgXmlOutput=REG_DWORD=0

UpgTblOutput=REG_DWORD=0

You can then use this config file to install other workstations with same configuration.

Alternatively, you can add the below to a notepad and save as psidecompare.reg and ask user to run it manually to change the setting.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\PeopleSoft\PeopleTools\Release8.40\PSIDE]
"UpgTblOutput"=dword:00000000

Monday, January 26, 2015

IE9 Save As or Save Target As not working after applying update KB3008923 on Windows 7 SP1 64 Bit machine

Update : After applying the Latest Cumulative Security Update KB3032359 - MS15-018: Cumulative security update for Internet Explorer: March 10, 2015 Save As is working fine again. Also this resolves IE9 Freak Vulnerability as well. 

If you have applied the update KB3008923 , you may not be able to open any Microsoft office document (doc, docx, xls, xlsx, ppt, pptx) etc. Also If you try to download a software and try to use Save As option from the toolbar, it does not work. If you right click on a link and Select Save Target As that also does not work.

image

This issue is not mentioned on the Microsoft site http://support.microsoft.com/kb/3008923 

Though they recommend manually applying update KB3025945 (

http://support.microsoft.com/kb/3025945) to resolve IE9 Crash issue, it does not fix the issue.

To resolve the issue, I have to uninstall both KB3025945 and KB3008923 and once I did that everything started working normally. I would advise not to install this update till Microsoft come up with a replacement fix using windows update.

This will impact PeopleSoft Excel Query download functionality any word document download.

To uninstall the update, go to Control Panel and Search for “Installed updates” and Select View Installed Updates under Programs and Features

image

In the Search dialog at the top right type KB3025945 first and then KB3008923 and select uninstall  after right clicking on the selected update. You will need to restart the machine after each update is uninstalled.

(NET.334): Tuxedo cannot find the service RunAeAsync2. Make sure the application server advertising this service is booted.

If your users are calling and telling you that App engine processes are remaining in initiated status for longer time ( > 5 minute) and you observe the following message. (Assuming PSAESRV is configured)

in the $PS_CFG_HOME/appserv/prcs/<domain>/LOGS folder for SCHDLR_MMYY.LOG you will see the message

(NET.334): Tuxedo cannot find the service RunAeAsync2.  Make sure the application server advertising this service is booted.

To see all files that has this message

grep NET.334 SCHDLR*.LOG | cut -d : -f 1 | sort -u

Please note the number at the end of RunAeAsync. It could be 1 thru n depending on number of PSAESRV configured. What this message means that the PSAESRV and number at the RunAeSync is not running for e.g. in this case PSAESRV that provides service RunAeSync2 is not running.

You will also see in the same folder for TUXLOG.MMDDYY the following message

010135.abc.com!restartsrv.16887.414156544.-2: server AESRV/2: CMDTUX_CAT:1684: ERROR: Application initialization failure

010135.abc.com!restartsrv.16887.414156544.-2: server AESRV/2: CMDTUX_CAT:587: INFO: Cannot restart server, scheduling for cleanup

grep CMDTUX_CAT:1684 TUXLOG.*

Resolution

What this means is that for some reason PSAESRV has crashed and Tuxedo restart process is not able to restart PSAESRV process.

You have 2 option 2 fix the issue.

Option 1 : Shutdown and Restart the server

Option 2: Manually start the PSAERV process using command line without shutting down and restarting the server.

Option 2 is preferred, if you have other PSAESRV processes running in process monitor that will be killed if you try to stop the process scheduler.

Start PSADMIN (cd $PS_HOME/appserv; ./psadmin)

Select 2 for process Scheduler

Select 1 for Administer a domain

Select 1for appropriate Process Scheduler Domain

Select 5 for TUXEDO command line (tmadmin)

Type

boot -g AESRV -i 1

(Change -I 1 to appropriate number for PSAESRV process that crashed Determined from the number at the end of RunAeSync).

Observed this issue in PeopleTools : 8.53.12 and Linux : Red Hat 6.3 64 bit.

Wednesday, January 14, 2015

Unable to find a Routing Corresponding to the incoming Request Message (158,505)

When testing a WSDL or WADL you are getting the above message in the output Unable to find a Routing Corresponding to the incoming Request Message (158,505). for e.g. after publishing the WSDL for Soap or WADL for Rest, you try to view the WSDL or WADL and get the above message. 

1. Make sure that GETWADL and GETWSDL Service Operation which is part of IB_UTILITY Service is active and has any to local routing defined and active. Once you add the missing routing, Go to Routing Definition and Select Parameter Tab and make sure that External alias is exactly GetWADL for GETWADL and GetWSDL for GETWSDL. If it is anything other for e.g. GETWADL or GETWADL.V1 it will not work.

image

image

See following My Oracle Support Resolutions 1949257.1 and 1572531.1 for more information.

Sample URL to view WADL and WSDL are

WADL (REST)

http://piahostname.com/PSIGW/RESTListeningConnector/PSFT_PA/PTCS_SECURITY.1.wadl

WSDL (SOAP)
http://piahostname.com/PSIGW/PeopleSoftServiceListeningConnector/PSFT_PA/PTCS_SECURITY.1.wsdl

To find out which WSDL or WADL are published to  WSDL Repository, Do the following Select.

select * from PSIBWSDLDFN;

Note: This is tested in 8.53.09 and 8.53.12 but may be valid for other PeopleTools version as well.