Wednesday, February 3, 2016

Moving to psadmin.io

I have moved all my PeopleSoft blogging efforts over to psadmin.io. Together with Dan Iverson, we will be posting on the PeopleSoft Administrator topic. We are also creating a podcast, which we are really excited about. I will be leaving this blog up as long as there is still traffic coming here, but I won't be adding any new content. Thanks for reading!

Wednesday, October 14, 2015

PeopleTools 8.55 PeopleBooks Posted?

Tonight I have been doing some research on Query Access Service. This is the cool new tool that gives us access to Query through REST. Like most of you who have played with it, the first thing I wanted to do is see how I could return the results in JSON. In my initial search of a few blogs posts( thanks as always, Jim!), I quickly discovered this is not possible in 8.54. However, I did a little more searching and found some references to an option to add json_response to the end of your Query, returning JSON!

I quickly realized I was looking the new 8.55 PeopleBooks. I haven't seen any mention of this released yet. Should I be looking at this?

8.55 PeopleBooks

QAS and JSON

Wednesday, July 15, 2015

Reconnect 2015

You know it is the heart of summer when Reconnect comes around! I'm looking forward to some good sessions in Chicago, but this year I'll also be presenting. I will once again be talking virtual cards at session "Implementing a Virtual Card Payment Method" - Thursday, 8 am at Paris. Then Thursday 10:30 am at DaVinci I will be presenting "Simplify Security Requests with Forms and Approval Builder". I hope to see you there!

Sunday, June 21, 2015

Disabling PS_TOKEN with PSEatCookies Filter

As many of you have probably heard, there has been much discussion over the past few weeks regarding vulnerabilities in PeopleSoft's PS_TOKEN. The talk all started after a presentation from ERPScan, which basically said that a PeopleSoft node's password can be gained by brute force against a PS_TOKEN. This would allow someone to generate their own PS_TOKEN for any userid.

Now, word is the Oracle plans to bump up it's SHA-1 salted encryption with PeopleTools 8.55. However, it is probably a long ways out before most of us get to 8.55. And when we do get there, who's to say how long this new encryption will be considered secure?  One option is to simply disable the PS_TOKEN, and therefore prevent this vulnerability altogether! The problem is, PeopleSoft does not give us the option to disable it.

I decided to come up with a proof of concept for a custom solution to this issue. I wrote a Java servlet filter, called PSEatCookies, that will prevent a PS_TOKEN, or any other Cookie you specify, from being added to the ServletHttpResponse. The basic structure and setup is very similar to the filter delivered in the Kerberos Desktop Single Signon solution. I have added the java source, classes and an example web.xml entry to a GitHub repository. You can download it and follow the instructions for setup in the readme file here: https://github.com/kbens/ps-eat-cookies.

I can see this filter being handy when you have a web server located in your DMZ for a single PeopleSoft application. This way you can turn on this filter without impact to your internal users, who most likely would need their PS_TOKEN to jump between multiple applications. Otherwise, you would have to really build this out with special rules and logic, or purchase a third-party product that allows for more configuration.

Update 07/15/2015: If you find any problems, have ideas for enhancements or just have a question, feel free to open an issue on GitHub!

Tuesday, February 10, 2015

Alliance 2015

It is hard to believe that Alliance 2015 is only a few weeks away. I'm very excited for the opportunity to be in Nashville and see some great sessions! I'm also excited to be presenting a mini session this year. If you are interested in the Procure-to-Pay track and have the time in your schedule, please check out my session on Monday, March 16th at 4:30pm in Ryman Studio PQR. My session is titled Implementing a Virtual Card Payment Method, and I'll be discussing Hennepin County's recent implementation of a virtual card program utilizing Financial Gateway. It will be a mix of functional and technical topics, so I hope to see you then!

Saturday, December 20, 2014

Online Journal Edit and Budget Checking in 9.2

If you are upgrading to 9.2 you should be aware of a change to how Journal Edit and Budget Checking is run when kicked off online. Previously when you brought up a Journal online and initiated a Journal Edit, an App Engine would be kicked off on the Process Scheduler. Starting in 9.2, this Application Engine is now running on the App Server.

With this approach there is the potential for the AE to timeout depending on your app server settings - often this is set to 5 minutes. If this timeout occurs, then you will be logged out of your session and the Journal will be left stuck somewhere in the middle of the process. At that point you would need to come up with some SQL to reset flags and other data in order to process again.

In general, this process should finish rather quickly so you shouldn't have to worry. But there are two scenarios in which you may find yourself butting up against the timeout limit:
  • Processing a Journal with a vary large number of lines, especially lines that have complicated coding.
  • Many users all processing Journal Edits concurrently, must likely at month end.
A major factor in the performance of these App Engines is the configuration and usage of temp tables. If you run into issues, review these temp tables with your DBA. The tables may need data cleanup and stats reviewed. It appears the online instances of these temp tables will need some hand holding until we see a few more images released. There are some MOS documents out there referencing some bugs and explaining how to perform cleanup on these tables until they have some issues worked out.

If you are still seeing timeout issues, you may need to add more temp table instances. This can be helpful if you have many concurrent users running the App Engine. This change should be reviewed carefully, since it can have a large impact on your database. The amount of temp tables instances available for use by an Online App Engine is determined by a PeopleTools configuration, which is a system wide setting. If this setting was 3, which is the default, then PS_TEMP1, PS_TEMP2 and PS_TEMP3 would all be dedicated to online instances. For App Engines run on the process scheduler, the amount of instances is taken from the App Engine setting in App Designer. If this setting is also 3, then tables PS_TEMP4, PS_TEMP5 and PS_TEMP6 could be used. So the total amount of temp table instances will be the online instance count plus the count set on each App Engine that uses the table.



Tuesday, August 5, 2014

Testing the PeopleSoft File Attachment Framework

I am in the progress of setting up PeopleSoft File Attachments using an HTTP Repository.  I wanted to do some testing of this new configuration, and I found that there is a delivered testing utility. It is nothing special, but it does the job of quickly validating that things are working. 

Note: If you are using a URL Id, make sure you add the "URL." prefix. It won't work if you leave this off.