David Pigman of SpearMC consulting presented Advanced PeopleSoft Security Audit.

Most of the presentation consisted of walking through slides of the PeopleTools security table structures, along with some discussions of things to watch out for. Some examples included key field names that are different between tables (which means Query won’t autojoin), decoding the ACTIONS field (which is a bitfield) into meaningful data, and understanding that PeopleTools like Data Mover, Application Designer, etc actually get secured by menu names (eg DATA_MOVER) that don’t actually exist as menu definitions, but are hard-coded in the PeopleTools internal code.

The presentation was good (although I don’t think that I would call it advanced audit). A little more demo vs slides would be nice as well. A number of the queries that David did show (either in ppt or in an environment) are available with the presentation to be downloaded later.

They also have a product offering with additional queries that a security auditor might find useful. Towards the end of the presentation David showed a few of these in a live environment.

Labels: 2010, OpenWorld, Oracle

Hit this error message earlier and noticed that no search engines had the answer so I wanted to share.

When running App Engine from a command prompt or from within App Designer, you get a dialog popping up with

Your security options are set improperly. Please contact your security administrator.

The same error does not popup when you login to App Designer or Query or other 2 tier tool though.

The answer is that somehow you ended up with the PS_SERVER_CFG variable set in your current environment and psae.exe is getting confused as to whether it should be running under the process scheduler or not. Tools like Application Designer don’t get confused because they never run under the process scheduler.

Labels: 2010, PeopleTools, Support

When you create a domain for a PeopleSoft application server, the default configuration for the Tuxedo listener is a variable called %PS_MACH% (which expands to the hostname of the machine). When the domain is booted, the hostname is resolved into an IP address and that is what the Tuxedo listener will bind to.

This is generally what you want for the most common scenarios, but there are cases where you want to change it.

Binding to localhost

I used to do lots of PeopleTools demos in the PeopleSoft corporate visit center when customers came to see what new things we were working on. That meant getting up from my office over in building F and walking across the campus over to the corporate visit center in building A. As a general rule, I always kept my laptop running when walking between the different buildings on the PeopleSoft campus ⁽¹⁾, partly because it would take so long to boot up an entire PeopleSoft demo environment.

Since I would end up changing IP addresses when I switched buildings, I would always set the Tuxedo listeners to listen on localhost. If I had left them on %PS_MACH%, the Tuxedo listener would still be bound to the IP address I had in my office in building F, not the new IP address I would receive when connecting in building A.

Multiple IP addresses

Binding to localhost worked for my scenario, but binding to localhost means that you can only connect webservers running on the same machine as the application server.

An alternate strategy is to use the special IP address 0.0.0.0 in your Tuxedo configuration. That tells Tuxedo to bind to all IP addresses on the machine. That is handy not just for our scenario of changing IP addresses, but also for situations where you have multiple IP addresses on your server. That could be from multiple NICs (network interface cards), virtual IP addresses or some other exotic configuration.

Once you do that, then your PeopleSoft appservers will survive what IP address reconfiguration that gets thrown at them without needing to restart your appserver domains.

1) I became semi well known around PeopleSoft headquarters as the only dork that kept working while walking around, but not as well known as the one PeopleTools developer that used to walk around wearing a black cape. I’m still not sure if that was supposed to be a magician’s cape or Count Dracula.

And no, I never dropped a laptop or tripped 🙂

Labels: 2010, psadmin, Sysadmin, Tuxedo