Restrict external access to PeopleSoft with Squid

I recently had to expose a client’s PeopleSoft installation to the outside world, which I did in the usual manner (additional PIA in the DMZ etc).

We wanted to use the “closed by default, open by exception” approach, so we would start by blocking access to everything and then open the areas we needed access to URL by URL.  I suspected that the final ‘URL Whitelist’ might take many iterations to get right and as the Reverse Proxy in the DMZ was outside of my control I needed to trial it somewhere else first.

I commandeered one of our less frequently used environments and went about searching for a quick/free method of blocking access.  After trying a few different approaches I settled on Squid, the open-source forward-proxy / web-caching server.  Although it’s better known for running on Unix systems, there is a Windows implementation and it can operate perfectly well as a reverse-proxy.

Once I’d downloaded and unzipped the binaries, and installed it as a service (using this helpful write-up as a guide) it was just a case of setting the rules.

In the ACLs section I added my bad and good URLs:

acl bad_url urlpath_regex *DEV*acl good_url urlpath_regex "c:\squid\etc\good-urls.squid"

This would block any URL with DEV in (my chosen environment was DEV), but then allow any URLs in the ‘good-urls.squid’ file.  I then had specify in the http_access section what to do with these ACL groups.

http_access allow good_urlhttp_access deny bad_urlhttp_access allow all

It took me a few goes to get this right as the last line confused me for a while, but luckily there are copious notes in the provided .conf file:

If none of the “access” lines cause a match, the default is the opposite of the last line in the list.  If the last line was deny, the default is allow. Conversely, if the last line is allow, the default will be deny.

I was happy leaving my PeopleSoft environment on port 80 and Squid on 3128 as this is just a temporary setup for my testing.  Obviously Squid would be on port 80 if this was a production setup.

I amended the default port line thus:

http_port 3128 defaultsite=xxx.yyy.com

(where xxx is the hostname and yyy is the domain name)

And finally I added this line:

cache_peer 127.0.0.1 parent 80 0 originserver default

I used 127.0.0.1 as Squid is on the same host as the PIA, and the rest is for forwarding.

In the Web Profile ‘Virtual Addressing’ tab, add the reverse proxy details.  This willensure that PeopleSoft uses the reverse-proxy port number.  Bounce the PIA.

If you want a nice custom ‘Access Denied’ page instead of the default Squid one, they can be found in ‘C:\squid\share\errors\English’.  They have no file extension, but they’re HTML so a cinch to amend.

This is largely going to vary depending upon what you want to expose to the external users.  A lot of what we opened up were custom pages so there isn’t a lot of value sharing the full file here.  Having said that, here is a snippet of our file:

*login**css*/psp/ps/EMPLOYEE/HRMS/h/**/cs/ps/cache/**/ps/images/**/psc/ps/*viewattach**/psp/ps/EMPLOYEE/HRMS/c/ROLE_EMPLOYEE.GP_SS_EE_PSLP.GBL**/ps/ckeditor/**/psc/ps/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL**/psp/ps/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL**/psc/ps/EMPLOYEE/HRMS/s/WEBLIB_TIMEOUT.PT_TIMEOUTWARNING.FieldFormula.IScript_TIMEOUTWARNING*/psc/ps/EMPLOYEE/HRMS/\?cmd=expire*/psp/ps/EMPLOYEE/HRMS/\?cmd=expire*/psp/ps/EMPLOYEE/HRMS/\?cmd=logout

Lines 1 and 2 sort out the signon page.

Line 3 is the Employee Portal homepage.

Lines 4 and 5 are for images.  Lines 6 and 8 are for viewing attachments and the Rich Text editor.

Lines 7, 9 and 10 are sample PeopleSoft pages/components.

The remainder deal with the timeout and signout links.

(Assuming that your PIA site is ‘ps’)

And you’re done.  There are a few little quirks to note.

Firstly, every time you change your URLs file you’ll need to restart the Squid service, but it’s a quick process so doesn’t hold you up too much.

Secondly, PeopleSoft frequently uses the ‘?’ special character as a URL delimiter so Squid only matches against the characters before this point.  There are several occasions when you need to match against the full URL which is why I’ve used url_path_regex in the ACL section above.  This allowed me to escape the special characters so that the log-out, time-out and view attachment links work ok.

Be the first to like this post.

PeopleSoft and IE9

It seems that IE9 behaves slightly differently to other browsers when displaying some PeopleSoft pages, and this results in pages that look a little odd.  Areas of whitespace appear between page objects, and fields that are nicely laid out in other browsers are mis-aligned in IE9. Strangely it doesn’t happen on the homepage, but it does on every other page.

Here’s an example:

So what causes it, and what can be done about it?

It seems as though the disparity between the homepage and other pages is caused by the browser switching between the Standards and Quirks rendering modes. I’ve performed cursory testing in Firefox (v4.0), IE (v8.0 and v9.0) and Chrome (v10.0) and they all render the PeopleSoft homepage in Quirks mode by default and other pages in Standards mode.  I suspect that this is due to the lack of a doctype in the homepage – as this is present in other pages.

There’s an excellent bookmarklet here which tells you which render mode you’re currently in (although you can also use browser specific tools like Firefox developer’s toolbar and the IE Dev Tools).

Regardless of which mode Firefox and Chrome are in they render the page correctly (and by this I mean ‘as we are used to seeing it’, it may not be syntactically correct!).  The same is true for IE8, it’s just IE9 that displays the page differently if in Standards mode (which it will be for all pages other than the homepage.

So, how do we fix it?  I basically insert a directive into the PeopleSoft HTML template for all non-homepage pages telling IE to act like an earlier version.  It’s not the most elegant solution but it seems to do the trick, at least until something official comes along.

Open PT_HNAV_TEMPLATE and look at the 4th line.  It should look like this:

Comment this line out and add a line below, thus:

You shouldn’t even need a Web or App Server reboot.  The new template forces IE9 to behave like IE7 and displays your PeopleSoft pages correctly.

Be the first to like this post.

Changing the Favicon in PeopleSoft – The “How to”

Last week I posted a blog entry highlighting why I think adding a favicon to PeopleSoft can be a helpful visual aid for your users.  This post walks through how I did it – note: I’ve only tested this in Tools 8.50.

It’s probably a good idea to have one for each environment excluding Production that shows the environment name, and then have Production as the corporate logo (or your PeopleSoft system logo etc).  I created my 32×32 pixel images in GIMP as it can save as a .ico file, but any graphics package will do (as will this online ico creator).  I didn’t experiment with other sizes or file formats, let me know if you do and I’ll update the post.

Upload your icons as images in App Designer.

We need to create a function to provide the correct image for each environment as we’ll be calling this from more than one place.  I added my function to WEBLIB_PT_NAV.ISCRIPT1 as we’ll be customising it later anyway.

Function GetFavicon() Returns string Local string &Favicon; Evaluate %DbName When = "DEV" &Favicon = %Response.GetImageURL(Image.<>); Break; When = "TST" &Favicon = %Response.GetImageURL(Image.<>); Break; ...etc... End-Evaluate; &Favicon = ""; Return &Favicon;End-Function;

You need to amend both PT_HNAV_TEMPLATE and PT_IFRAME_HDR_SWAN HTML templates so that the code for the Favicon can be passed in.

Amend PT_HNAV_TEMPLATE thus (I’m just showing the top 6 lines – lines 4 and 5 are the ones I’ve added):

%bind(:23)
...

Amend PT_IFRAME_HDR_SWAN thus (I’m just showing the top 5 lines – lines 3 and 4 are the ones I’ve added):

%bind(:25)...

Note: Your bind numbers may vary. You can check they’re correct when we get to the calling functions shortly.

The final step is to amend the PeopleCode so that the string provided by our GetFavicon function is passed into our HTML definitions.  Open PT_BRANDING.BrandingBase.  Scroll down to where the delivered code is declaring functions (it’s around line 155 for me) and declare the function that you created in Step 2.

Next, find method ‘getIframeHeaderHTML’ and scroll down to near the bottom.  You’ll see a call to one of the HTML objects that you just amended ‘PT_IFRAME_HDR_SWAN’.  Add your function as a parameter to the end thus:

&hdrHTML = GetHTMLText(HTML.PT_IFRAME_HDR_SWAN, &charSet, ... , &hoverNavLoc, GetFavicon());

As a double-check, you should also make sure that it’s the same number parameter as the bind variable that you added in the previous step.

You’ll need to make a similar change for the other HTML template.  Open WEBLIB_PT_NAV.ISCRIPT1.FieldFormula and search for the function ‘buildIframeTemplate’.  Again, scroll down to the end of the function and add your function as a parameter to the end:

Return GetHTMLText(@("HTML." | &templateHTMLObjName), &charSet, &requiredToolsSS, ... , &ptcxmCollapseImgURL, GetFavicon());

Again, make sure that the parameter number matches the bind number in the HTML file (PT_HNAV_TEMPLATE) earlier.

You should be able to sign in and see the results immediately.  Good luck and let me know how you get on!

Be the first to like this post.

Error in Recruitment – Build Applicant Search

This probably won’t help a great many people, but for the small minority it does help it might save them a lot of time …

There’s a problem with the Applicant Search process in HR9.1 (we’re currently on MP2).  When you build the Applicant Index it starts the HRS_SRCH_IDX process.  This App Engine starts one or more HRS_SRCH_APP processes.  Sometimes HRS_SRCH_APP runs to Success, other times it doesn’t.  Initially we thought this was down to locking (if there are more than one running simultaneously one was trying to delete from a table that the other was inserting into), however we set the concurrency to 1 and this was still occurring.

Examining the log files we could see that it loops through all languages in the system (regardless of how many languages had been installed) and creates a subdirectory under ps_cfg_home\data\search\HRS_ResumeText\\ for each language. The process gets as far as Italian and then fails (it creates an ITA directory and all the containing files, but does not create JPN – the next language).

We checked out customer connection My Oracle Support and there wasn’t a great deal.  The only relevant post we could find was this one which suggested deleting the JPN language from PSLANGUAGES (and I suspect all of those following JPN).  Unfortunately we need multi-language support so this wasn’t a viable option for us.  There wasn’t anything on Google either so we were on our own.

Looking through the log files we found this:
mkvdk - Verity, Inc. Version 6.2.0 (_nti40, Jan 30 2008)
Error   E0-1509 (Drvr): dlopen() returned:
Error   E0-1510 (Drvr): Error loading driver library 'D:\ps_home\verity\winx86\_nti40\bin\locbasis.dll'
Error   E0-1203 (Language): Error reading language definition file: D:/ps_home/verity/winx86/common/japanb/loc00.lng
Error   E0-1230 (Language): Could not create locale japanb
Error    (): Fatal error - exiting
mkvdk done
mkvdk: VDK error -200: couldn't create VDK session
Both of the files referenced in the error message (locbasis.dll and loc00.lng) are present and read/write to the Process Scheduler user account though, so this wasn’t much help.

The code in the App Engine calls a fair sized chunk of Application Package PeopleCode, but eventually I found the logic that creates the directories/Verity Search collections.  The last command issued before the error was:

bin\server\winx86\mkvdk -create -collection -locale japanb d:\ps_cfg_home\data\search\HRS_ResumeText\TST\JPN -logfile d:\ps_cfg_home\data\search\HRS_ResumeText\TST\veritybuild.log

When I run this in a command prompt window (after setting the ps_home env var) I get the following error message:

The program cannot start because MSVCP71.dll is missing from your computer.

Interesting, so I have a missing dll.  Using Process Monitor (the SysInternals one, not PeopleSoft Process Monitor) I can see that it’s looking for the dll in ‘\verity\winx86\_nti40\bin\’.

Once I located a copy of the DLL and copied it there the HRS_SRCH_APP process ran fine and the directories were created for all languages.

So why is this file missing?  I believe it’s an issue of Oracle assuming that Microsoft bundles it in Windows, and Microsoft no longer doing so.  See this from Microsoft:

The shared CRT DLL has been distributed by Microsoft in the past as a shared system component.  This may cause problems when you run applications that are linked to a different version of the CRT on computers that do not have the correct versions of the CRT DLL installed. This is commonly referred to as the “DLL Conflict” problem.  To address this issue, the CRT DLL is no longer considered a system file, therefore, distribute the CRT DLL with any application that relies on it.

Be the first to like this post.

OpenWorld 11 / Suggest a Session on Oracle Mix

I’ve never been to OpenWorld and I’d love to go.  There are so many US based PeopleSoft people that I’d love to meet.

I noticed the ‘Suggest a Session’ post on the Oracle Mix blog and thought I’d give it a go.  I’d be petrified at the thought of talking to an audience the size that you get over there, but sometimes you have to try these things.

I’m a bit late to the game, but if anyone fancies either of the topics I’ve put forward I’d appreciate a vote:

Case Study: Deliver engaging Self Service with an additional PeopleSoft portal

Join me for a Case Study of how a green-field PeopleSoft retail client in the UK used HR9.1 and PeopleTools 8.50 to turbo-charge the user experience of their Employee and Manager Self Service users. This will be a demo intensive session as I walk through the steps to deployment and show how you can deliver a genuinely engaging interface for your employees without needing products from outside the Oracle stable. The retail client is live in the UK and coming to the US soon!

Case Study: How The Cloud accelerated the PeopleSoft project of a UK retailer

Join me for a walk-through of how we used ‘the Cloud’ to dramatically speed-up the PeopleSoft implementation for a greenfield UK retailer. This isn’t another “theoretical cloud talk”, I’ll detail how it worked in practise. It improved our access requirements, reduced infrastructure costs and gave us access to more powerful servers and greater resilience than we’d otherwise have been able to afford. I’ll walk you through the initial decision, explain how everything was set up and demonstrate the benefits delivered to the project. I’ll also describe other occasions where the flexibility of PeopleSoft in the cloud has been invaluable.

Click on the headers to go to the voting page (you’ll need to sign-up for Mix if you don’t already have an account).

Thank you!

Be the first to like this post.

Custom toolbars on PeopleSoft Rich Text Boxes

If you’re on Tools 8.50 or 8.51 you’re probably familiar with the new Rich-text edit boxes by now.  They allow you to amend the text with formatting, colour, links, images etc.  This is how a field looks when the default Rich Text toolbar is applied:

This is all very good when the field is in a nice empty page, where there’s plenty of space for a large toolbar.  Many pages have a lot of fields on, and the addition of a bulky toobar might make the page appear busier and more crowded.  Also, some users may get confused with the wide choice of buttons available.

I faced a similar issue today.  I needed to have the user enter some text and be able to embed links, but because of the design aesthetics of where the results would be output, I wanted to discourage the user from having lots of different colours, font sizes etc. So I wanted to reduce the toolbar so it had just two buttons – add link and remove link.

It turns out that there’s a pretty simple way of customising the toolbar. 

Against the Page Field properties of the Long Edit box there is an Options tab (you probably used it to make the field Rich Text).  The first drop-down allows you to select alternate configurations (they’re all HTML Objects).  There isn’t a delivered one that did what I wanted, so I took an existing one and modified it.

I opened an existing one (‘PT_RTE_CFG_PTPPB’) and took a look at the contents:

FCKEditor configuration file for Pagelet Wizard HTML Data Source
-->
CKEDITOR.config.skin='office2003';
CKEDITOR.config.toolbar =
[
['Source','-','Maximize','Preview','Print','-','Cut','Copy','Paste','-','Undo','Redo','-','Find','Replace','-','HorizontalRule','Table','imageUPLOAD','Link','Unlink','SpecialChar'],
['Format','Font','FontSize','-','Bold','Italic','Underline','Strike'],
['JustifyLeft','JustifyCenter','JustifyRight','JustifyBlock','-','NumberedList','BulletedList','Outdent','Indent','-','TextColor','BGColor']
];

It’s pretty clear to see that each toolbar button is represented by an entry in the CKEDITOR.config.toolbar section. I cloned the delivered one and reduced the toolbar section down to:
CKEDITOR.config.toolbar =
[
['Link','Unlink']
];

This had the desired effect of reducing the toolbar to exactly what I needed, but it had introduced an unwanted bottom section which shows the HTML tags for the edit box.

There was nothing in the config file that I’d specified that had introduced this, so where had it come from?

It turns out that when you specify a config file, it overwrites the default values.  After a good deal of searching I located them in:

\webserv\\applications\peoplesoft\PORTAL.war\\ckeditor\config.js

Not only does it specify the defaults for the toolbar, but it also contains the lines:

config.resize_enabled = false;
config.removePlugins = ‘elementspath’;

Once I’d added these two lines to my config HTML object my rich text box displayed exactly as required – a much simpler and more compact edit box containing just the toolbar buttons that I want:

Be the first to like this post.

Changing the Favicon in PeopleSoft

A Favicon (short for favorites icon, also known as a shortcut icon, website icon, URL icon, or bookmark icon) is a small logo that appears next to the website URL in the browser address bar.  This website has the favicon from WordPress, as that’s the blogging platform that I use.

Although adding a favicon made the web surfing experience marginally more attractive (the favicon also appears in your bookmarks/favourites menu to make it easier to identify each website, for example) it was pretty unimportant to us in the PeopleSoft world.  Now that tabbed browsers are starting to proliferate into company workstation rollouts the favicon is starting to become more useful.

As an example, can you identify these 9 favicons from my open browser tabs (I’ve redacted the text from a couple as they’re pretty easy):

I’m quite a fan of finding methods to make it easy to differentiate your PeopleSoft environments.  I think it’s a useful productivity tweak to be able to instantly know whether you’re in DEV, TST or PRD without having to check the address bar and parse through the URL (for less technical business users especially).

Wouldn’t it be useful to have a different Favicon for each environment?  That way you can easily tell which tab you need.  When you’re trying to find a specific environment that you’ve logged into, how useful is it to go from this:

to this:

And with grouped taskbar buttons being the default in recent versions of Windows, it’s also handy to go from this:

to this:

So how is it done?

It’s not a big customisation, although it does obviously touch a couple of Tools objects.  I’ve written it up here.

Be the first to like this post.