PeopleSoft Administration

Uniqueness of PIA Cookie Names

Background I just completed a project where we consolidated our Weblogic web servers into fewer servers. In the past we have one server for each PIA. The new implementation has two Weblogic servers, each with three PIAs and a hardware load balancer to provide high availability. Each PIA is bound to a specific virtual IP and listens on port 443 for HTTPS access. This is a very resilient implementation that provides high up-time for end users. However, I quickly realized that was having strange single-signon issues. When I logged into the Interaction Hub, and clicked a link to access HCM […]

Read more

How to solve NET:ERR_CERT_COMMON_NAME_INVALID in Chrome 58 with Internal Enterprise CA

Chrome v. 58 Reports: Your connection is not Private Google released Chrome 58 in late April 2017. This update suddenly caused our PeopleSoft and other internal HTTPS sites to report “Your connection is not Private” and ” NET:ERR_CERT_COMMON_NAME_INVALID”: This was a bit of a surprise for us, and after a little research we realized that our internal Enterprise CA (Certificate Authority) does not populate the Subject Alternative Name (SAN). With update 58, Chrome requires that the SAN field is populated. Certificates signed by commercial certificate authorities automatically add the SAN. However, we have dozens of internal SSL sites, so we setup […]

Read more

PeopleSoft Kerberos Authentication (Desktop Single Signon) – PeopleTools 8.55

I am in the middle of a PeopleTools 8.54 to 8.55 upgrade, and I was interested in knowing if Kerberos authentication still works with PT 8.55. As you may know, Oracle does not really support the implementation, but continue to deliver the class files. The good news is that it still works in PeopleTools 8.55 The only area that has changed slightly is the setting of the JavaVM Options= in the psappsrv.cfg file. This configuration parameter now exists 3 times in this file, so make sure to change the value in the [PSTOOLS] section. I have updated my initial post […]

Read more

App server process crashed with system errno = 32-Broken pipe

Another Production Issue Just as I was returning from lunch I recieved a bunch of alerts on my phone from our Microsoft SCOM log monitor that one of our FSCM production application server processes had crashed. The message in the log was: PSAPPSRV.8944    (5354)    [2016-11-08T13:01:45.030 user@smartpeoplesoftadmin.com (FIREFOX 49.0; WIN7) ICPanel](0)    PSAFFIRM(GlobalLock : invalid memory address from E:\pt85405c-retail\peopletools\src\pssys\qdmutil.cpp 4385) failed at E:\pt85405c-retail\peopletools\src\pscmnutils\globalmem.cpp, line 233.  Processing will abort. PSAPPSRV.8944    (5354)    [2016-11-08T13:01:45.031 user@smartpeoplesoftadmin (FIREFOX 49.0; WIN7) ICPanel](0)    PSAFFIRM(GlobalLock : invalid memory address from E:\pt85405c-retail\peopletools\src\pssys\qdmutil.cpp 4385) failed at E:\pt85405c-retail\peopletools\src\pscmnutils\globalmem.cpp, line 233.  Processing will abort. PSPAL: Abort: PSAFFIRM(GlobalLock : invalid memory address from E:\pt85405c-retail\peopletools\src\pssys\qdmutil.cpp 4385) […]

Read more

My FSCM Production PIA Crashed – java.lang.OutOfMemoryError: Java heap space

Production Down Fridays are usually quiet around here, and this past Friday started out quiet too. However, at 10:12am my monitoring software informed me that my production FSCM PIA was down. Immediate action required! While trying to stay calm and before my phone started ringing furiously, I RDPed to my web server. I went through these troubleshooting steps: Troubleshooting 1/ Is the PIA service still running? – Check its still running according to Windows services 2/ What errors do I have in the logs? Navigated to <PS_HOME>\webserv\PFSCM\servers\PIA\logs and opened the PFSCM.log file. Where I found the following entry: ####<Nov 4, […]

Read more

PeopleSoft Kerberos Authentication (Desktop Single Signon) – Troubleshooting

Overview In my last three posts I covered the creation of the Domain Account, SPN and Keyfile, the required configuration on the web and application server and the PeopleCode and security changes. However, as a final bonus I thought I would cover some troubleshooting tips that I found helpful during my implementation. Troubleshooting Duplicate SPN If the authentication is not working, open the PIA_weblogic.log and look for a message like KerberosSSOFilter: Received invalid token. This indicate that the token received from the client browser is incorrect or invalid. To further troubleshoot this issue, download and install Wireshark. Using Wireshark, capture […]

Read more

PeopleSoft Kerberos Authentication (Desktop Single Signon) – Signon PeopleCode and Security

Overview In my last couple of posts I covered the creation of the Domain Account, SPN and Keyfile, I also covered the required configuration on the web and application server. This final post will cover the required PeopleCode and security changes. Signon PeopleCode Login to the target environment with Application Designer. Open the FUNCLIB_LDAP Record, Right Click the LDAPAUTH field, and select the View PeopleCode Locate the function getWWWAuthConfig Edit the &defaultUserId to the default guest user that will defined later Function getWWWAuthConfig()    &defaultUserId = “PS_GUEST”; End-Function; Add the following code at the end of the file. Notice that […]

Read more

PeopleSoft Kerberos Authentication (Desktop Single Signon) – Web and App Server Config

Overview In this post I will describe how to configure the PeopleSoft web and application server for Kerberos authentication. I covered the configuration of the domain account, SPN and keyfile here. Create krb5.conf and krb5Login.conf Files Create a krb5.conf file and place it in the E:\kerberos folder on the web and application server. The file should be identical. (you can choose a different folder, just update the following instructions with our folder) krb5.conf [libdefaults] default_realm = SMARTPEOPLESOFTADMIN.COM dns_lookup_kdc = true dns_lookup_realm = true [realms] SMARTPEOPLESOFTADMIN.COM = {     kdc = DC1.SMARTPEOPLESOFTADMIN.COM     default_domain = SMARTPEOPLESOFTADMIN.COM } Update the default_realm, [realms], […]

Read more

PeopleSoft Kerberos Authentication (Desktop Single Signon) – Domain Account, SPN and Keyfile

Overview In this post we will finally get into the configuration of Kerberos SSO for PeopleSoft. The reference environment is running on Windows 2012 R2, using a SQL Server database. The assumption is that the usernames in PeopleSoft are the same as the Windows usernames. This is typically done using LDAP authentication, and is documented in PeopleBooks. This series of blog posts will not cover LDAP configuration. However, it is not really necessary to use LDAP authentication for Kerberos to work. All that is required is that the User IDs in PeopleSoft are the same as the Active Directory. I […]

Read more

PeopleSoft Kerberos Authentication (Desktop Single Signon) – Understanding Kerberos

Kerberos Background As I mentioned in my previous post, I have had the opportunity to implement Kerberos Desktop Single Signon (SSO) for PeopleSoft. When I started on this project I did not understand Kerberos very well, however to get SSO to work correctly I had to dig into the underlying technology to troubleshoot the implementation. Here I share some of the lessons that I learned. To get a background in Kerberos, Google is your friend. Here is one good primer. CNAMEs vs. A-Records The environment where I implemented PeopleSoft SSO uses a lot of DNS aliases for the environment URLs. […]

Read more